CWE-493: Critical Public Variable Without Final Modifier

Description

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.

Example Vulnerable Codes

Example - 1

Suppose this WidgetData class is used for an e-commerce web site. The programmer attempts to prevent price-tampering attacks by setting the price of the widget using the constructor.


this.price = LookupPrice("MyWidgetType");public float price;...public WidgetData(...) {}public final class WidgetData extends Applet {}

The price field is not final. Even though the value is set by the constructor, it could be modified by anybody that has access to an instance of WidgetData.

Example - 2

Assume the following code is intended to provide the location of a configuration file that controls execution of the application.

public string configPath = "/etc/application/config.dat";

public String configPath = new String("/etc/application/config.dat");

While this field is readable from any function, and thus might allow an information leak of a pathname, a more serious problem is that it can be changed by any function.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-500: Public Static Field Not Marked Final

Go to

CWE-668: Exposure of Resource to Wrong Sphere

Go to

Visit http://cwe.mitre.org/ for more details.