CWE-583: finalize() Method Declared Public
The product violates secure coding principles for mobile code by declaring a finalize() method public.
Last updated
Overview
A product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.
Common consequences
What can happen when CWE-583 is exploited.
Alter Execution Logic, Execute Unauthorized Code or Commands, Modify Application Data
Affects: Confidentiality, Integrity, Availability
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-583, grouped by where in the lifecycle they apply.