Category: The CERT Oracle Secure Coding Standard for Java (2011) Chapter 6 - Object Orientation (OBJ)
Obsolete
Summary
Weaknesses in this category are related to rules in the Object Orientation (OBJ) chapter of The CERT Oracle Secure Coding Standard for Java (2011).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-374 | Passing Mutable Objects to an Untrusted Method | The product sends non-cloned mutable data as an argument to a method or function. |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller | Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function. |
| CWE-486 | Comparison of Classes by Name | The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name. |
| CWE-491 | Public cloneable() Method Without Final ('Object Hijack') | A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. |
| CWE-492 | Use of Inner Class Containing Sensitive Data | Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers. |
| CWE-493 | Critical Public Variable Without Final Modifier | The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. |
| CWE-498 | Cloneable Class Containing Sensitive Information | The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class. |
| CWE-500 | Public Static Field Not Marked Final | An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. |
| CWE-582 | Array Declared Public, Final, and Static | The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified. |
| CWE-766 | Critical Data Element Declared Public | The product declares a critical variable, field, or member to be public when intended security policy requires it to be private. |
| CWE-844 | Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011) | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the book "The CERT Oracle Secure Coding Standard for Java" published in 2011. This view is considered obsolete as a newer version of the coding standard is available. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.