Array Declared Public, Final, and Static

Draft Variant

Structure: Simple

Description

This vulnerability occurs when an array is declared as public, final, and static, which does not protect the data inside the array from being altered.

Extended Description

While the `final` keyword ensures the array reference itself cannot point to a new object, it does not lock the contents of the array. The array elements remain fully mutable, meaning their values can be changed, added, or removed. Because the array is also declared `public`, any part of the code—including potentially untrusted or malicious components—can directly access and modify the array's data. This combination of public exposure with insufficient data protection typically represents a security flaw or design oversight that should be corrected.

Common Consequences 1

Scope: Integrity

Impact: Modify Application Data

Potential Mitigations 1

Phase: Implementation

In most situations the array should be made private.

Demonstrative Examples 1

The following Java Applet code mistakenly declares an array public, final and static.

Code Example:Bad
Java
java

Applicable Platforms

Languages:

Java : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Exposure of Resource to Wrong Sphere (CWE-668)

Taxonomy Mapping

The CERT Oracle Secure Coding Standard for Java (2011)
Software Fault Patterns