CWE
CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.1)  

CWE-491: Public cloneable() Method Without Final ('Object Hijack')

 
Public cloneable() Method Without Final ('Object Hijack')
Weakness ID: 491 (Weakness Variant)Status: Draft
+ Description

Description Summary

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

Java

+ Common Consequences
ScopeEffect
Integrity
Other

Technical Impact: Unexpected state; Varies by context

+ Demonstrative Examples

Example 1

In this example, a public class "BankAccount" implements the cloneable() method which declares "Object clone(string accountnumber)":

(Bad Code)
Example Language: Java 
public class BankAccount implements Cloneable{
public Object clone(String accountnumber) throws
CloneNotSupportedException
{
Object returnMe = new BankAccount(account number);
...

}
}

Example 2

In the example below, a clone() method is defined without being declared final.

(Bad Code)
Example Language: Java 
protected Object clone() throws CloneNotSupportedException {
...
}
+ Potential Mitigations

Make the cloneable() method final.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class485Insufficient Encapsulation
Seven Pernicious Kingdoms (primary)700
ChildOfCategoryCategory490Mobile Code Issues
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class668Exposure of Resource to Wrong Sphere
Research Concepts (primary)1000
ChildOfCategoryCategory849CERT Java Secure Coding Section 04 - Object Orientation (OBJ)
Weaknesses Addressed by the CERT Java Secure Coding Standard (primary)844
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
7 Pernicious KingdomsMobile Code: Object Hijack
CERT Java Secure CodingOBJ03-JSensitive classes must not let themselves be copied
+ References
OWASP. "OWASP , Attack Category : Mobile code: object hijack". <http://www.owasp.org/index.php/Mobile_code:_object_hijack>.
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
7 Pernicious KingdomsExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated References, Demonstrative_Example, Potential_Mitigations, Time_of_Introduction
2008-09-08CWE Content TeamMITREInternal
updated Relationships, References, Taxonomy_Mappings
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-07-27CWE Content TeamMITREInternal
updated Demonstrative_Examples
2011-06-01CWE Content TeamMITREInternal
updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27CWE Content TeamMITREInternal
updated Common_Consequences
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Mobile Code: Object Hijack
2009-05-27Public cloneable() Method Without Final (aka 'Object Hijack')
Back to top
Page Last Updated: September 12, 2011
 

CWE is a Software Assurance strategic initiative co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is sponsored and managed by The MITRE Corporation to enable stakeholder collaboration. Copyright © 2006-2012, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us