Public Static Field Not Marked Final
Weakness ID: 500 (Weakness Variant)Status: Draft
+ Description

Description Summary

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

C++

Java

+ Common Consequences
ScopeEffect
Integrity

The object could potentially be tampered with.

Confidentiality

The object could potentially allow the object to be read.

+ Likelihood of Exploit

High

+ Demonstrative Examples

Example 1

This is a static variable that can be read without an accessor and changed without a mutator.

(Bad Code)
Example Language: C++ 
public:
static string str = "My String";
(Bad Code)
Example Language: Java 
static public String str = "My String";
+ Potential Mitigations

Phase: Architecture and Design

Clearly identify the scope for all critical data elements, including whether they should be regarded as static.

Phase: Implementation

Make any static fields private and final.

+ Background Details

When a field is declared public but not final, the field can be read and written to by arbitrary Java code.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness VariantWeakness Variant493Critical Public Variable Without Final Modifier
Development Concepts (primary)699
Research Concepts (primary)1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPOverflow of static internal buffer
+ White Box Definitions

A weakness where code path has a statement that defines a public field that is static and non-final

+ Content History
Submissions
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-08-01KDM AnalyticsExternal
added/updated white box definitions
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2008-11-05CWE Content TeamMITREInternal
Significant clarification of this entry, and improved examples.
2008-11-24CWE Content TeamMITREInternal
updated Background Details, Demonstrative Examples, Description, Name, Other Notes, Potential Mitigations
2009-05-27CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11Overflow of Static Internal Buffer
2008-11-24Static Field Not Marked Final
Back to top