CWE-486: Comparison of Classes by Name

VariantDraftExploit Likelihood: High

The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.

View on MITRE
Back to CWE Lookup

Extended Description

If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.

Technical Details

Structure
Simple

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-486: Comparison of Classes by Name?+

CWE-486: Comparison of Classes by Name is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name. If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.

What are the security consequences of Comparison of Classes by Name?+

If exploited, CWE-486 (Comparison of Classes by Name) it can compromise Integrity, Confidentiality and Availability, leading to outcomes such as Execute Unauthorized Code or Commands.

How do you prevent or mitigate Comparison of Classes by Name?+

Recommended mitigations for CWE-486 include: Use class equivalency to determine type. Rather than use the class name to determine if an object is of a given type, use the getClass() method, and == operator.

Which programming languages are affected by Comparison of Classes by Name?+

CWE-486 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-486 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More