CWE-491: Public cloneable() Method Without Final ('Object Hijack')

Export to Word

Description

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

Extended Description

N/A


ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified


Observed Examples (CVEs)

Related Attack Patterns (CAPEC)

N/A


Attack TTPs

N/A

Modes of Introduction

Phase Note
Implementation N/A

Common Consequences

Potential Mitigations

Applicable Platforms


Demonstrative Examples

Intro: In this example, a public class "BankAccount" implements the cloneable() method which declares "Object clone(string accountnumber)":

public class BankAccount implements Cloneable{ public Object clone(String accountnumber) throws CloneNotSupportedException { Object returnMe = new BankAccount(account number); ... } }

Intro: In the example below, a clone() method is defined without being declared final.

protected Object clone() throws CloneNotSupportedException { ... }

Notes

← Back to CWE list