VariantIncomplete

CWE-583finalize() Method Declared Public

Category: other

Description

The product violates secure coding principles for mobile code by declaring a finalize() method public. A product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.

Common consequences· 1

  • Confidentiality / Integrity / Availability — Alter Execution Logic, Execute Unauthorized Code or Commands, Modify Application Data

Potential mitigations· 1

  • [Implementation]If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.

References

  1. https://cwe.mitre.org/data/definitions/583.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
finalize() Method Without super.finalize()
CWE
Explicit Call to Finalize()
CWE
Use of Object without Invoking Destructor Method
CWE
Critical Public Variable Without Final Modifier
CWE
Public Static Field Not Marked Final
CWE
Public Static Final Field References Mutable Object
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.