VariantDraft

CWE-493Critical Public Variable Without Final Modifier

Category: other

Description

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.

Common consequences· 2

  • Integrity — Modify Application Data
    The object could potentially be tampered with.
  • Confidentiality — Read Application Data
    The object could potentially allow the object to be read.

Potential mitigations· 1

  • [Implementation]Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code.

References

  1. https://cwe.mitre.org/data/definitions/493.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Access to Critical Private Variable via Public Method
CWE
Public Static Field Not Marked Final
CWE
Public Static Final Field References Mutable Object
CWE
Critical Data Element Declared Public
CWE
Array Declared Public, Final, and Static
CWE
Insufficient Encapsulation
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.