Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.7)  

Presentation Filter:

CWE-491: Public cloneable() Method Without Final ('Object Hijack')

Public cloneable() Method Without Final ('Object Hijack')
Weakness ID: 491 (Weakness Variant)Status: Draft
+ Description

Description Summary

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.
+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Common Consequences

Technical Impact: Unexpected state; Varies by context

+ Demonstrative Examples

Example 1

In this example, a public class "BankAccount" implements the cloneable() method which declares "Object clone(string accountnumber)":

(Bad Code)
Example Language: Java 
public class BankAccount implements Cloneable{
public Object clone(String accountnumber) throws
Object returnMe = new BankAccount(account number);


Example 2

In the example below, a clone() method is defined without being declared final.

(Bad Code)
Example Language: Java 
protected Object clone() throws CloneNotSupportedException {
+ Potential Mitigations

Phase: Implementation

Make the cloneable() method final.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class485Insufficient Encapsulation
Seven Pernicious Kingdoms (primary)700
ChildOfCategoryCategory490Mobile Code Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ChildOfCategoryCategory849CERT Java Secure Coding Section 04 - Object Orientation (OBJ)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory897SFP Cluster: Entry Points
Software Fault Pattern (SFP) Clusters (primary)888
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsMobile Code: Object Hijack
CERT Java Secure CodingOBJ07-JSensitive classes must not let themselves be copied
+ References
OWASP. "OWASP , Attack Category : Mobile code: object hijack". <>.
+ Content History
Submission DateSubmitterOrganizationSource
Externally Mined
Modification DateModifierOrganizationSource
added/updated demonstrative examples
updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction
updated Relationships, References, Taxonomy_Mappings
updated Name
updated Demonstrative_Examples
updated Common_Consequences, Relationships, Taxonomy_Mappings
updated Common_Consequences
updated Relationships, Taxonomy_Mappings
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Mobile Code: Object Hijack
2009-05-27Public cloneable() Method Without Final (aka 'Object Hijack')
Page Last Updated: June 23, 2014