1. Home
  2. CWE Database
  3. CWE-491
Variant · Low-Medium

CWE-491: Public cloneable() Method Without Final ('Object Hijack')

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

CWE-491 · Variant Level ·1 Mitigations

Description

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

Potential Impact

Integrity, Other

Unexpected State, Varies by Context

Demonstrative Examples

In this example, a public class "BankAccount" implements the cloneable() method which declares "Object clone(string accountnumber)":
Bad
public class BankAccount implements Cloneable{
                        public Object clone(String accountnumber) throwsCloneNotSupportedException{
                              Object returnMe = new BankAccount(account number);...
                              
                           }
                     }
In the example below, a clone() method is defined without being declared final.
Bad
protected Object clone() throws CloneNotSupportedException {...}

Mitigations & Prevention

Implementation

Make the cloneable() method final.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-668: Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the...

Taxonomy Mappings

  • 7 Pernicious Kingdoms: — Mobile Code: Object Hijack
  • The CERT Oracle Secure Coding Standard for Java (2011): OBJ07-J — Sensitive classes must not let themselves be copied
  • Software Fault Patterns: SFP28 — Unexpected access points

Frequently Asked Questions

What is CWE-491?

CWE-491 (Public cloneable() Method Without Final ('Object Hijack')) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state.

How can CWE-491 be exploited?

Attackers can exploit CWE-491 (Public cloneable() Method Without Final ('Object Hijack')) to unexpected state, varies by context. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-491?

Key mitigations include: Make the cloneable() method final.

What is the severity of CWE-491?

CWE-491 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.