The product violates secure coding principles for mobile code by declaring a finalize() method public.
View on MITREA product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.
If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.
No detection method information available for this CWE.
The following Java Applet code mistakenly declares a public finalize() method.
Mobile code, in this case a Java Applet, is code that is transmitted across a network and executed on a remote machine. Because mobile code developers have little if any control of the environment in which their code will execute, special security concerns become relevant. One of the biggest environmental threats results from the risk that the mobile code will run side-by-side with other, potentially malicious, mobile code. Because all of the popular web browsers execute code from multiple sources together in the same JVM, many of the security guidelines for mobile code are focused on preventing manipulation of your objects' state and behavior by adversaries who have access to the same virtual machine where your product is running.
No relationship information available for this CWE.
CWE-583: finalize() Method Declared Public is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product violates secure coding principles for mobile code by declaring a finalize() method public. A product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.
If exploited, CWE-583 (finalize() Method Declared Public) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Alter Execution Logic, Execute Unauthorized Code or Commands and Modify Application Data.
Recommended mitigations for CWE-583 include: If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.
CWE-583 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-583 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.