1. Home
  2. CWE Database
  3. CWE-500
Variant · Low-Medium

CWE-500: Public Static Field Not Marked Final

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

CWE-500 · Variant Level ·2 Mitigations

Description

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

Public static variables can be read without an accessor and changed without a mutator by any classes in the application.

Potential Impact

Integrity

Modify Application Data

Confidentiality

Read Application Data

Demonstrative Examples

The following examples use of a public static String variable to contain the name of a property/configuration file for the application.
Bad
class SomeAppClass {
                        
                           public:static string appPropertiesConfigFile = "app/properties.config";
                           ...
                     }
Bad
public class SomeAppClass {
                        
                           public static String appPropertiesFile = "app/Application.properties";...
                     }
Having a public static variable that is not marked final (constant) may allow the variable to the altered in a way not intended by the application. In this example the String variable can be modified to indicate a different on nonexistent properties file which could cause the application to crash or caused unexpected behavior.
Good
class SomeAppClass {
                        
                           public:static const string appPropertiesConfigFile = "app/properties.config";
                           ...
                     }
Good
public class SomeAppClass {
                        
                           public static final String appPropertiesFile = "app/Application.properties";...
                     }

Mitigations & Prevention

Architecture and Design

Clearly identify the scope for all critical data elements, including whether they should be regarded as static.

Implementation

Make any static fields private and constant. A constant field is denoted by the keyword 'const' in C/C++ and ' final' in Java

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-493: Critical Public Variable Without Final Modifier

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpe...

Taxonomy Mappings

  • CLASP: — Overflow of static internal buffer
  • The CERT Oracle Secure Coding Standard for Java (2011): OBJ10-J — Do not use public static nonfinal variables
  • Software Fault Patterns: SFP28 — Unexpected access points

Frequently Asked Questions

What is CWE-500?

CWE-500 (Public Static Field Not Marked Final) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

How can CWE-500 be exploited?

Attackers can exploit CWE-500 (Public Static Field Not Marked Final) to modify application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-500?

Key mitigations include: Clearly identify the scope for all critical data elements, including whether they should be regarded as static.

What is the severity of CWE-500?

CWE-500 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.