CWE-491: Public cloneable() Method Without Final ('Object Hijack')

Description

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Example Vulnerable Codes

Example - 1

In this example, a public class "BankAccount" implements the cloneable() method which declares "Object clone(string accountnumber)":



Object returnMe = new BankAccount(account number);...public Object clone(String accountnumber) throwsCloneNotSupportedException{}public class BankAccount implements Cloneable{}

Example - 2

In the example below, a clone() method is defined without being declared final.

...protected Object clone() throws CloneNotSupportedException {}

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-668: Exposure of Resource to Wrong Sphere

Go to

Visit http://cwe.mitre.org/ for more details.