The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
View on MITREIf a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.
The object could potentially be tampered with.
The object could potentially allow the object to be read.
Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code.
No detection method information available for this CWE.
Suppose this WidgetData class is used for an e-commerce web site. The programmer attempts to prevent price-tampering attacks by setting the price of the widget using the constructor.
The price field is not final. Even though the value is set by the constructor, it could be modified by anybody that has access to an instance of WidgetData.
Assume the following code is intended to provide the location of a configuration file that controls execution of the application.
While this field is readable from any function, and thus might allow an information leak of a pathname, a more serious problem is that it can be changed by any function.
Assume the following code is intended to provide the location of a configuration file that controls execution of the application.
While this field is readable from any function, and thus might allow an information leak of a pathname, a more serious problem is that it can be changed by any function.
No relationship information available for this CWE.
CWE-493: Critical Public Variable Without Final Modifier is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. If a field is non-final and public, it can be changed once the value is set by any function that has access to the class which contains the field. This could lead to a vulnerability if other parts of the program make assumptions about the contents of that field.
If exploited, CWE-493 (Critical Public Variable Without Final Modifier) it can compromise Integrity and Confidentiality, leading to outcomes such as Modify Application Data and Read Application Data.
Recommended mitigations for CWE-493 include: Declare all public fields as final when possible, especially if it is used to maintain internal state of an Applet or of classes used by an Applet. If a field must be public, then perform all appropriate sanity checks before accessing the field from your code.
CWE-493 commonly affects Java and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-493 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.