Category: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)
Stable
Summary
Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-374 | Passing Mutable Objects to an Untrusted Method | The product sends non-cloned mutable data as an argument to a method or function. |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller | Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. |
| CWE-486 | Comparison of Classes by Name | The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name. |
| CWE-491 | Public cloneable() Method Without Final ('Object Hijack') | A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. |
| CWE-492 | Use of Inner Class Containing Sensitive Data | Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers. |
| CWE-498 | Cloneable Class Containing Sensitive Information | The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. |
| CWE-500 | Public Static Field Not Marked Final | An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. |
| CWE-766 | Critical Data Element Declared Public | The product declares a critical variable, field, or member to be public when intended security policy requires it to be private. |
| CWE-1133 | Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.