Weaknesses in Software Written in Java

A view in the Common Weakness Enumeration published by The MITRE Corporation.


Objective

Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.

This view (slice) covers issues that are found in Java programs that are not common to all languages.

Weaknesses

Access to Critical Private Variable via Public Method

The software defines a public method that reads or modifies a private variable.

Array Declared Public, Final, and Static

The program declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

Assigning instead of Comparing

The code uses an operator for assignment when the intention was to perform a comparison.

Call to Thread run() instead of start()

The program calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.

clone() Method Without super.clone()

The software contains a clone() method that does not call super.clone() to obtain the new object.

Cloneable Class Containing Sensitive Information

The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.

Comparison of Classes by Name

The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

Comparison of Object References Instead of Object Contents

The program compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a ...

Critical Data Element Declared Public

The software declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Critical Public Variable Without Final Modifier

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

Declaration of Catch for Generic Exception

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Declaration of Throws for Generic Exception

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Direct Use of Unsafe JNI

When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that ...

Double-Checked Locking

The program uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.

Duplicate Key in Associative List (Alist)

Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.

EJB Bad Practices: Use of AWT Swing

The program violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.

EJB Bad Practices: Use of Class Loader

The program violates the Enterprise JavaBeans (EJB) specification by using the class loader.

EJB Bad Practices: Use of Java I/O

The program violates the Enterprise JavaBeans (EJB) specification by using the java.io package.

EJB Bad Practices: Use of Sockets

The program violates the Enterprise JavaBeans (EJB) specification by using sockets.

EJB Bad Practices: Use of Synchronization Primitives

The program violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.

Empty Synchronized Block

The software contains an empty synchronized block.

Explicit Call to Finalize()

The software makes an explicit call to the finalize() method from outside the finalizer.

finalize() Method Declared Public

The program violates secure coding principles for mobile code by declaring a finalize() method public.

finalize() Method Without super.finalize()

The software contains a finalize() method that does not call super.finalize().

Generation of Error Message Containing Sensitive Information

The software generates an error message that includes sensitive information about its environment, users, or associated data.

Improper Cleanup on Thrown Exception

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluatio...

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, ...

Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.

Integer Coercion Error

Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

Integer Underflow (Wrap or Wraparound)

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the co...

J2EE Bad Practices: Direct Management of Connections

The J2EE application directly manages connections, instead of using the container's connection management facilities.

J2EE Bad Practices: Direct Use of Sockets

The J2EE application directly uses sockets instead of using framework method calls.

J2EE Bad Practices: Direct Use of Threads

Thread management in a Web application is forbidden in some circumstances and is always highly error prone.

J2EE Bad Practices: Non-serializable Object Stored in Session

The application stores a non-serializable object as an HttpSession attribute, which can hurt reliability.

J2EE Bad Practices: Use of System.exit()

A J2EE application uses System.exit(), which also shuts down its container.

J2EE Framework: Saving Unserializable Objects to Disk

When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.

J2EE Misconfiguration: Data Transmission Without Encryption

Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are we...

J2EE Misconfiguration: Insufficient Session-ID Length

The J2EE application is configured to use an insufficient session ID length.

J2EE Misconfiguration: Missing Custom Error Page

The default error page of a web application should not display sensitive information about the software system.

Java Runtime Error Message Containing Sensitive Information

In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.

Missing Default Case in Switch Statement

The code does not have a default case in a switch statement, which might lead to complex logical errors and resultant weaknesses.

NULL Pointer Dereference

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Numeric Truncation Error

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

Object Model Violation: Just One of Equals and Hashcode Defined

The software does not maintain equal hashcodes for equal objects.

Omitted Break Statement in Switch

The program omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the...

Passing Mutable Objects to an Untrusted Method

The program sends non-cloned mutable data as an argument to a method or function.

Private Data Structure Returned From A Public Method

The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.

Public cloneable() Method Without Final ('Object Hijack')

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in a...

Public Data Assigned to Private Array-Typed Field

Assigning public data to a private array is equivalent to giving public access to the array.

Public Static Field Not Marked Final

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

Public Static Final Field References Mutable Object

A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.

Race Condition in Switch

The code contains a switch statement in which the switched variable can be modified while the switch is still executing, resulting in unexpected behavior.

Race Condition within a Thread

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution...

Reliance on Package-level Scope

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

Returning a Mutable Object to an Untrusted Caller

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

Serializable Class Containing Sensitive Data

The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another ...

Struts: Duplicate Validation Forms

The application uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect.

Struts: Form Bean Does Not Extend Validation Class

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input valid...

Struts: Form Field Without Validator

The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.

Struts: Incomplete validate() Method Definition

The application has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

Struts: Non-private Field in ActionForm Class

An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.

Struts: Plug-in Framework not in Use

When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient ...

Struts: Unused Validation Form

An unused validation form indicates that validation logic is not up-to-date.

Struts: Unvalidated Action Form

Every Action Form must have a corresponding validation form.

Struts: Validator Turned Off

Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weakn...

Struts: Validator Without Form Field

Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.

Uncaught Exception

An exception is thrown from a function, but it is not caught.

Unsynchronized Access to Shared Data in a Multithreaded Context

The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes.

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper clas...

Use of Inner Class Containing Sensitive Data

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

Use of NullPointerException Catch to Detect NULL Pointer Dereference

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.

Use of Singleton Pattern Without Synchronization in a Multithreaded Context

The software uses the singleton pattern when creating a resource within a multithreaded environment.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.