CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.6)  

Presentation Filter:

CWE-491: Public cloneable() Method Without Final ('Object Hijack')

 
Public cloneable() Method Without Final ('Object Hijack')
Weakness ID: 491 (Weakness Variant)Status: Draft
+ Description

Description Summary

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

Java

+ Common Consequences
ScopeEffect
Integrity
Other

Technical Impact: Unexpected state; Varies by context

+ Demonstrative Examples

Example 1

In this example, a public class "BankAccount" implements the cloneable() method which declares "Object clone(string accountnumber)":

(Bad Code)
Example Language: Java 
public class BankAccount implements Cloneable{
public Object clone(String accountnumber) throws
CloneNotSupportedException
{
Object returnMe = new BankAccount(account number);
...

}
}

Example 2

In the example below, a clone() method is defined without being declared final.

(Bad Code)
Example Language: Java 
protected Object clone() throws CloneNotSupportedException {
...
}
+ Potential Mitigations

Phase: Implementation

Make the cloneable() method final.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class485Insufficient Encapsulation
Seven Pernicious Kingdoms (primary)700
ChildOfCategoryCategory490Mobile Code Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ChildOfCategoryCategory849CERT Java Secure Coding Section 04 - Object Orientation (OBJ)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
ChildOfCategoryCategory897SFP Cluster: Entry Points
Software Fault Pattern (SFP) Clusters (primary)888
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsMobile Code: Object Hijack
CERT Java Secure CodingOBJ07-JSensitive classes must not let themselves be copied
+ References
OWASP. "OWASP , Attack Category : Mobile code: object hijack". <http://www.owasp.org/index.php/Mobile_code:_object_hijack>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, References, Taxonomy_Mappings
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-07-27CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
2012-05-11CWE Content TeamMITREInternal
updated Relationships, Taxonomy_Mappings
2012-10-30CWE Content TeamMITREInternal
updated Potential_Mitigations
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Mobile Code: Object Hijack
2009-05-27Public cloneable() Method Without Final (aka 'Object Hijack')
Page Last Updated: February 18, 2014