CWE-500: Public Static Field Not Marked Final

Description

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

Extended Description

Public static variables can be read without an accessor and changed without a mutator by any classes in the application.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

No observed examples available.

Related Attack Patterns (CAPEC)

N/A

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	N/A

Common Consequences

Impact: Modify Application Data — Notes: The object could potentially be tampered with.
Impact: Read Application Data — Notes: The object could potentially allow the object to be read.

Potential Mitigations

Architecture and Design: Clearly identify the scope for all critical data elements, including whether they should be regarded as static. (N/A)
Implementation: Make any static fields private and constant. A constant field is denoted by the keyword 'const' in C/C++ and ' final' in Java (N/A)

Applicable Platforms

C++ (N/A, Undetermined)
Java (N/A, Undetermined)

Demonstrative Examples

Intro: The following examples use of a public static String variable to contain the name of a property/configuration file for the application.

Body: Having a public static variable that is not marked final (constant) may allow the variable to the altered in a way not intended by the application. In this example the String variable can be modified to indicate a different on nonexistent properties file which could cause the application to crash or caused unexpected behavior.

class SomeAppClass { public: static string appPropertiesConfigFile = "app/properties.config"; ... }

Notes

No notes available.

← Back to CWE list