CWE-493: Critical Public Variable Without Final Modifier

CWE-493: Critical Public Variable Without Final Modifier | RadicalNotion.AI

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Suppose this WidgetData class is used for an e-commerce web site. The programmer attempts to prevent price-tampering attacks by setting the price of the widget using the constructor.

Vulnerable example

java

public final class WidgetData extends Applet {

The price field is not final. Even though the value is set by the constructor, it could be modified by anybody that has access to an instance of WidgetData.

Assume the following code is intended to provide the location of a configuration file that controls execution of the application.

Vulnerable example

cpp

public string configPath = "/etc/application/config.dat";

Vulnerable example

java

public String configPath = new String("/etc/application/config.dat");

While this field is readable from any function, and thus might allow an information leak of a pathname, a more serious problem is that it can be changed by any function.

CWE-493: Critical Public Variable Without Final Modifier

Overview

Background

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-493?

How do you prevent CWE-493?

How is CWE-493 detected?

What are the consequences of CWE-493?

References

Stay ahead of CWE-493

Overview

Background

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-493?

How do you prevent CWE-493?

How is CWE-493 detected?

What are the consequences of CWE-493?

References

Stay ahead of CWE-493