CWE-493: Critical Public Variable Without Final Modifier
The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
Last updated
Overview
If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.
Background
Mobile code, such as a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your program is running.
Final provides security by only allowing non-mutable objects to be changed after being set. However, only objects which are not extended can be made final.
Common consequences
What can happen when CWE-493 is exploited.
Modify Application Data
Affects: Integrity
The object could potentially be tampered with.
Read Application Data
Affects: Confidentiality
The object could potentially allow the object to be read.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-493, grouped by where in the lifecycle they apply.
Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
Suppose this WidgetData class is used for an e-commerce web site. The programmer attempts to prevent price-tampering attacks by setting the price of the widget using the constructor.
Vulnerable example
public final class WidgetData extends Applet {The price field is not final. Even though the value is set by the constructor, it could be modified by anybody that has access to an instance of WidgetData.
Assume the following code is intended to provide the location of a configuration file that controls execution of the application.
Vulnerable example
public string configPath = "/etc/application/config.dat";Vulnerable example
public String configPath = new String("/etc/application/config.dat");While this field is readable from any function, and thus might allow an information leak of a pathname, a more serious problem is that it can be changed by any function.
Terminology & mappings
Mapped taxonomies
- 7 Pernicious Kingdoms: Mobile Code: Non-Final Public Field
- CLASP: Failure to provide confidentiality for stored data
- The CERT Oracle Secure Coding Standard for Java (2011): Do not use public static nonfinal variables (OBJ10-J)
- Software Fault Patterns: Unexpected access points (SFP28)
Frequently asked questions
Common questions about CWE-493.
- What is CWE-493?
- The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
- How do you prevent CWE-493?
- Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code.
- How is CWE-493 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-493?
- Exploiting CWE-493 can lead to: Modify Application Data, Read Application Data.
References
- MITRE CWE definition (CWE-493) (opens in a new tab)
- CWE-493 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-493
Get alerted the moment a new CWE-493 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.