CWE-583: finalize() Method Declared Public

VariantIncomplete

The product violates secure coding principles for mobile code by declaring a finalize() method public.

View on MITRE
Back to CWE Lookup

Extended Description

A product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.

Technical Details

Structure
Simple

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-583: finalize() Method Declared Public?+

CWE-583: finalize() Method Declared Public is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product violates secure coding principles for mobile code by declaring a finalize() method public. A product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.

What are the security consequences of finalize() Method Declared Public?+

If exploited, CWE-583 (finalize() Method Declared Public) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Alter Execution Logic, Execute Unauthorized Code or Commands and Modify Application Data.

How do you prevent or mitigate finalize() Method Declared Public?+

Recommended mitigations for CWE-583 include: If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.

Which programming languages are affected by finalize() Method Declared Public?+

CWE-583 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-583 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More