CWE-583

finalize() Method Declared Public

AI Translation Available

The product violates secure coding principles for mobile code by declaring a finalize() method public.

Status

incomplete

Abstraction

variant

Affected Platforms

Java

Extended Description

AI Translation

A product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.

Technical Details

AI Translation

Common Consequences

confidentiality integrity availability

Impacts

alter execution logic execute unauthorized code or commands modify application data

Detection Methods

automated static analysis

Potential Mitigations

Phases:

implementation

Descriptions:

• If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.

AI Generated Translation

Common Consequences

riservatezza integrità disponibilità

Impacts

alterazione esecuzione logica eseguire codice o comandi non autorizzati modificare dati applicazione

Detection Methods

analisi statica automatizzata

Potential Mitigations

Phases:

implementazione

Descriptions:

• Se si utilizza finalize() come previsto, non c'è motivo di dichiararla con un livello di accesso diverso da protected.

CWE-583

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Common Consequences

Impacts

Detection Methods

Potential Mitigations

Iscriviti alla newsletter