The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.
View on MITREBecause arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug.
In most situations the array should be made private.
No detection method information available for this CWE.
The following Java Applet code mistakenly declares an array public, final and static.
No relationship information available for this CWE.
CWE-582: Array Declared Public, Final, and Static is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified. Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug.
If exploited, CWE-582 (Array Declared Public, Final, and Static) it can compromise Integrity, leading to outcomes such as Modify Application Data.
Recommended mitigations for CWE-582 include: In most situations the array should be made private.
CWE-582 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-582 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.