Category: SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ)
Stable
Summary
Weaknesses in this category are related to the rules and recommendations in the Object Orientation (OBJ) section of the SEI CERT Oracle Secure Coding Standard for Java.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-374 | Passing Mutable Objects to an Untrusted Method | This vulnerability occurs when a function receives a direct reference to mutable data, such as an object or array, instead of a safe copy of that data. |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller | This vulnerability occurs when a method directly returns a reference to its internal mutable data, allowing untrusted calling code to modify that data unexpectedly. |
| CWE-486 | Comparison of Classes by Name | This vulnerability occurs when an application determines an object's trustworthiness or behavior solely by checking its class name. Since multiple classes can share identical names across different packages or classloaders, this comparison can lead to using the wrong, potentially malicious, class. |
| CWE-491 | Public cloneable() Method Without Final ('Object Hijack') | This vulnerability occurs when a class implements a public clone() method without declaring it final. This allows attackers to create copies of objects without invoking their constructors, potentially leaving the cloned object in an inconsistent or insecure state. |
| CWE-492 | Use of Inner Class Containing Sensitive Data | Using inner classes to handle sensitive data can unintentionally expose that data because of how Java compiles them. The compiler transforms inner classes into separate, package-visible classes, which can bypass the intended private access restrictions. |
| CWE-498 | Cloneable Class Containing Sensitive Information | This vulnerability occurs when a class containing sensitive information, such as credentials or personal data, is made cloneable. Attackers can bypass normal initialization and access the sensitive data by creating a copy of the object. |
| CWE-500 | Public Static Field Not Marked Final | This vulnerability occurs when a class exposes a public static field without declaring it as final, allowing unintended modification from anywhere in the application. |
| CWE-766 | Critical Data Element Declared Public | This vulnerability occurs when a critical piece of data—like a variable, field, or class member—is mistakenly declared as public when it should be kept private according to the application's security design. |
| CWE-1133 | Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT Oracle Coding Standard for Java. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.