CWE-491: Public cloneable() Method Without Final ('Object Hijack')

Description

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

Extended Description

N/A

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Unexpected State, Varies by Context — Notes:

Potential Mitigations

Implementation: Make the cloneable() method final. (N/A)

Applicable Platforms

Java (N/A, Undetermined)

Demonstrative Examples

Intro: In this example, a public class "BankAccount" implements the cloneable() method which declares "Object clone(string accountnumber)":

public class BankAccount implements Cloneable{ public Object clone(String accountnumber) throws CloneNotSupportedException { Object returnMe = new BankAccount(account number); ... } }

Intro: In the example below, a clone() method is defined without being declared final.

protected Object clone() throws CloneNotSupportedException { ... }

Notes

No notes available.

← Back to CWE list