1. Home
  2. CWE Database
  3. CWE-580
Variant · Low-Medium

CWE-580: clone() Method Without super.clone()

The product contains a clone() method that does not call super.clone() to obtain the new object.

CWE-580 · Variant Level ·2 Mitigations

Description

The product contains a clone() method that does not call super.clone() to obtain the new object.

All implementations of clone() should obtain the new object by calling super.clone(). If a class does not follow this convention, a subclass's clone() method will return an object of the wrong type.

Potential Impact

Integrity, Other

Unexpected State, Quality Degradation

Demonstrative Examples

The following two classes demonstrate a bug introduced by not calling super.clone(). Because of the way Kibitzer implements clone(), FancyKibitzer's clone method will return an object of type Kibitzer instead of FancyKibitzer.
Bad
public class Kibitzer {
                        public Object clone() throws CloneNotSupportedException {
                              
                                 Object returnMe = new Kibitzer();...
                           }
                     }
                     public class FancyKibitzer extends Kibitzer{
                        public Object clone() throws CloneNotSupportedException {
                              
                                 Object returnMe = super.clone();...
                           }
                     }

Mitigations & Prevention

Implementation

Call super.clone() within your clone() method, when obtaining a new object.

Implementation

In some cases, you can eliminate the clone method altogether and use copy constructors.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-664: Improper Control of a Resource Through its Lifetime

The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use,...

CWE-573: Improper Following of Specification by Caller

The product does not follow or incorrectly follows the specifications as required by the implementation language, enviro...

Taxonomy Mappings

  • Software Fault Patterns: SFP28 — Unexpected access points

Frequently Asked Questions

What is CWE-580?

CWE-580 (clone() Method Without super.clone()) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product contains a clone() method that does not call super.clone() to obtain the new object.

How can CWE-580 be exploited?

Attackers can exploit CWE-580 (clone() Method Without super.clone()) to unexpected state, quality degradation. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-580?

Key mitigations include: Call super.clone() within your clone() method, when obtaining a new object.

What is the severity of CWE-580?

CWE-580 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.