Public Static Field Not Marked Final
An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.
Public static variables can be read without an accessor and changed without a mutator by any classes in the application.
When a field is declared public but not final, the field can be read and written to by arbitrary Java code.
The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.
Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.
The following examples use of a public static String variable to contain the name of a property/configuration file for the application.
Having a public static variable that is not marked final (constant) may allow the variable to the altered in a way not intended by the application. In this example the String variable can be modified to indicate a different on nonexistent properties file which could cause the application to crash or caused unexpected behavior.
Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.
This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
This view (slice) covers all the elements in CWE.
This view (slice) lists weaknesses that can be introduced during implementation.
This view (slice) covers issues that are found in Java programs that are not common to all languages.