Category: SFP Secondary Cluster: Unexpected Entry Points
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-489 | Active Debug Code | This vulnerability occurs when software is deployed to production with debugging or diagnostic features still enabled and accessible. |
| CWE-491 | Public cloneable() Method Without Final ('Object Hijack') | This vulnerability occurs when a class implements a public clone() method without declaring it final. This allows attackers to create copies of objects without invoking their constructors, potentially leaving the cloned object in an inconsistent or insecure state. |
| CWE-493 | Critical Public Variable Without Final Modifier | This vulnerability occurs when a security-sensitive variable is declared as public but not marked as final, allowing untrusted code to unexpectedly change its value after initialization. |
| CWE-500 | Public Static Field Not Marked Final | This vulnerability occurs when a class exposes a public static field without declaring it as final, allowing unintended modification from anywhere in the application. |
| CWE-531 | Inclusion of Sensitive Information in Test Code | This vulnerability occurs when sensitive data, such as credentials, API keys, or internal logic, is embedded within test code or debugging applications that remain accessible in production environments. Attackers can discover and exploit these forgotten endpoints to gain unauthorized access or gather critical intelligence about the system. |
| CWE-568 | finalize() Method Without super.finalize() | This vulnerability occurs when a Java class overrides the finalize() method but fails to call super.finalize() within it. |
| CWE-580 | clone() Method Without super.clone() | This vulnerability occurs when a class's clone() method creates a new object directly instead of calling super.clone(). |
| CWE-582 | Array Declared Public, Final, and Static | This vulnerability occurs when an array is declared as public, final, and static, which does not protect the data inside the array from being altered. |
| CWE-583 | finalize() Method Declared Public | This vulnerability occurs when a Java class declares its finalize() method as public, violating secure coding practices for mobile code. |
| CWE-608 | Struts: Non-private Field in ActionForm Class | This vulnerability occurs when an Apache Struts ActionForm class exposes a field without declaring it as private. This allows other parts of the application to directly read or modify the field's data, bypassing the intended setter and getter methods. |
| CWE-766 | Critical Data Element Declared Public | This vulnerability occurs when a critical piece of data—like a variable, field, or class member—is mistakenly declared as public when it should be kept private according to the application's security design. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.