The CERT Oracle Secure Coding Standard for Java (2011) Chapter 6 - Object Orientation (OBJ)

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011).

Weaknesses

Array Declared Public, Final, and Static

The program declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

Cloneable Class Containing Sensitive Information

The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.

Comparison of Classes by Name

The program compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

Critical Data Element Declared Public

The software declares a critical variable, field, or member to be public when intended security policy requires it to be private.

Critical Public Variable Without Final Modifier

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

Passing Mutable Objects to an Untrusted Method

The program sends non-cloned mutable data as an argument to a method or function.

Public cloneable() Method Without Final ('Object Hijack')

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in a...

Public Static Field Not Marked Final

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

Returning a Mutable Object to an Untrusted Caller

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

Use of Inner Class Containing Sensitive Data

Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.

Concepts

Deprecated or Obsolete

Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)

CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" pu...


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.