CWE-493: Critical Public Variable Without Final Modifier

VariantDraftExploit Likelihood: High

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

View on MITRE
Back to CWE Lookup

Extended Description

If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.

Technical Details

Structure
Simple

Applicable To

Languages
JavaC++
Platforms

Frequently Asked Questions

What is CWE-493: Critical Public Variable Without Final Modifier?+

CWE-493: Critical Public Variable Without Final Modifier is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.

What are the security consequences of Critical Public Variable Without Final Modifier?+

If exploited, CWE-493 (Critical Public Variable Without Final Modifier) it can compromise Integrity and Confidentiality, leading to outcomes such as Modify Application Data and Read Application Data.

How do you prevent or mitigate Critical Public Variable Without Final Modifier?+

Recommended mitigations for CWE-493 include: Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code.

Which programming languages are affected by Critical Public Variable Without Final Modifier?+

CWE-493 commonly affects Java and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-493 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More