Variant weakness
Draft
Log in
The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.
Last updated
Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug.
Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your product is running.
What can happen when CWE-582 is exploited.
Modify Application Data
Affects: Integrity
Typically introduced during these phases of the software lifecycle.
Languages
Practical mitigations for CWE-582, grouped by where in the lifecycle they apply.
In most situations the array should be made private.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Illustrative examples from MITRE showing how the weakness appears in code.
The following Java Applet code mistakenly declares an array public, final and static.
Vulnerable example
public final class urlTool extends Applet {Common questions about CWE-582.
The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.
In most situations the array should be made private.
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Exploiting CWE-582 can lead to: Modify Application Data.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-582 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.