Description
The product does not maintain equal hashcodes for equal objects.
Java objects are expected to obey a number of invariants related to equality. One of these invariants is that equal objects must have equal hashcodes. In other words, if a.equals(b) == true then a.hashCode() == b.hashCode().
Potential Impact
Integrity, Other
Other
Mitigations & Prevention
Both Equals() and Hashcode() should be defined.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Related Weaknesses
Taxonomy Mappings
- The CERT Oracle Secure Coding Standard for Java (2011): MET09-J — Classes that define an equals() method must also define a hashCode() method
Frequently Asked Questions
What is CWE-581?
CWE-581 (Object Model Violation: Just One of Equals and Hashcode Defined) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product does not maintain equal hashcodes for equal objects.
How can CWE-581 be exploited?
Attackers can exploit CWE-581 (Object Model Violation: Just One of Equals and Hashcode Defined) to other. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-581?
Key mitigations include: Both Equals() and Hashcode() should be defined.
What is the severity of CWE-581?
CWE-581 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.