CWE - CWE-500: Public Static Field Not Marked Final (1.6)

Home > CWE List > CWE- Individual Dictionary Definition (1.6)

CWE-500: Public Static Field Not Marked Final

Public Static Field Not Marked Final

Weakness ID: 500 (Weakness Variant)

Status: Draft

Description

Description Summary

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

Time of Introduction

Applicable Platforms

Languages

C++

Java

Common Consequences

Scope	Effect
Integrity	The object could potentially be tampered with.
Confidentiality	The object could potentially allow the object to be read.

Likelihood of Exploit

High

Demonstrative Examples

Example 1

This is a static variable that can be read without an accessor and changed without a mutator.

(Bad Code)

C++

public:

static string str = "My String";

(Bad Code)

Java

static public String str = "My String";

Potential Mitigations

Phase	Description
Architecture and Design	Clearly identify the scope for all critical data elements, including whether they should be regarded as static.
Implementation	Make any static fields private and final.

Background Details

When a field is declared public but not final, the field can be read and written to by arbitrary Java code.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Weakness Variant	493	Critical Public Variable Without Final Modifier	Development Concepts (primary)699 Research Concepts (primary)1000

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
CLASP			Overflow of static internal buffer

White Box Definitions

A weakness where code path has a statement that defines a public field that is static and non-final

Content History

Submissions
Submission Date	Submitter	Organization	Source
	CLASP		Externally Mined

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Time of Introduction
2008-08-01		KDM Analytics	External
2008-08-01	added/updated white box definitions
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Applicable Platforms, Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2008-11-05	CWE Content Team	MITRE	Internal
2008-11-05	Significant clarification of this entry, and improved examples.
2008-11-24	CWE Content Team	MITRE	Internal
2008-11-24	updated Background Details, Demonstrative Examples, Description, Name, Other Notes, Potential Mitigations
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Relationships

Page Last Updated: October 29, 2009


	CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2009, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us