1. Home
  2. CWE Database
  3. CWE-582
Variant · Low-Medium

CWE-582: Array Declared Public, Final, and Static

The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

CWE-582 · Variant Level ·1 Mitigations

Description

The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

Because arrays are mutable objects, the final constraint requires that the array object itself be assigned only once, but makes no guarantees about the values of the array elements. Since the array is public, a malicious program can change the values stored in the array. As such, in most cases an array declared public, final and static is a bug.

Potential Impact

Integrity

Modify Application Data

Demonstrative Examples

The following Java Applet code mistakenly declares an array public, final and static.
Bad
public final class urlTool extends Applet {public final static URL[] urls;...}

Mitigations & Prevention

Implementation

In most situations the array should be made private.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-668: Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the...

Taxonomy Mappings

  • The CERT Oracle Secure Coding Standard for Java (2011): OBJ10-J — Do not use public static nonfinal variables
  • Software Fault Patterns: SFP28 — Unexpected Access Points

Frequently Asked Questions

What is CWE-582?

CWE-582 (Array Declared Public, Final, and Static) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

How can CWE-582 be exploited?

Attackers can exploit CWE-582 (Array Declared Public, Final, and Static) to modify application data. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-582?

Key mitigations include: In most situations the array should be made private.

What is the severity of CWE-582?

CWE-582 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.