CWE-498: Cloneable Class Containing Sensitive Information

Description

The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running the constructor.

Example Vulnerable Codes

Example - 1

The following example demonstrates the weakness.



Teacher t1 = new Teacher("guddu","22,nagar road");//...// Do some stuff to remove the teacher.Teacher t2 = (Teacher)t1.clone();System.out.println(t2.name);

new CloneClient();public CloneClient() //throwsjava.lang.CloneNotSupportedException {}public static void main(String args[]) {}


return super.clone();

throw new RuntimeException(e.toString());try {}catch (java.lang.CloneNotSupportedException e) {}

this.name = name;this.clas = clas;public Object clone() {}public String name;public String clas;public Teacher(String name,String clas) {}public class CloneClient {}class Teacher implements Cloneable {}

Make classes uncloneable by defining a clone function like:

throw new java.lang.CloneNotSupportedException();public final void clone() throws java.lang.CloneNotSupportedException {}

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Go to

CWE-668: Exposure of Resource to Wrong Sphere

Go to

Visit http://cwe.mitre.org/ for more details.