CWE-582: Array Declared Public, Final, and Static

VariantDraft

The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

View on MITRE
Back to CWE Lookup

Extended Description

Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug.

Technical Details

Structure
Simple

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-582: Array Declared Public, Final, and Static?+

CWE-582: Array Declared Public, Final, and Static is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified. Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug.

What are the security consequences of Array Declared Public, Final, and Static?+

If exploited, CWE-582 (Array Declared Public, Final, and Static) it can compromise Integrity, leading to outcomes such as Modify Application Data.

How do you prevent or mitigate Array Declared Public, Final, and Static?+

Recommended mitigations for CWE-582 include: In most situations the array should be made private.

Which programming languages are affected by Array Declared Public, Final, and Static?+

CWE-582 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-582 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More