CWE-500: Public Static Field Not Marked Final

Description

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

Submission Date :

July 19, 2006, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

Public static variables can be read without an accessor and changed without a mutator by any classes in the application.

Example Vulnerable Codes

Example - 1

The following examples use of a public static String variable to contain the name of a property/configuration file for the application.


static string appPropertiesConfigFile = "app/properties.config";
public:...class SomeAppClass {}


public static String appPropertiesFile = "app/Application.properties";...public class SomeAppClass {}

Having a public static variable that is not marked final (constant) may allow the variable to the altered in a way not intended by the application. In this example the String variable can be modified to indicate a different on nonexistent properties file which could cause the application to crash or caused unexpected behavior.


static const string appPropertiesConfigFile = "app/properties.config";
public:...class SomeAppClass {}


public static final String appPropertiesFile = "app/Application.properties";...public class SomeAppClass {}

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-493: Critical Public Variable Without Final Modifier

Go to

Visit http://cwe.mitre.org/ for more details.