Description
A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.
Potential Impact
Integrity
Modify Application Data
Demonstrative Examples
public static final String[] USER_ROLES;Mitigations & Prevention
Protect mutable objects by making them private. Restrict access to the getter and setter as well.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Related Weaknesses
Taxonomy Mappings
- Software Fault Patterns: SFP23 — Exposed Data
Frequently Asked Questions
What is CWE-607?
CWE-607 (Public Static Final Field References Mutable Object) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Variant-level weakness. A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.
How can CWE-607 be exploited?
Attackers can exploit CWE-607 (Public Static Final Field References Mutable Object) to modify application data. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-607?
Key mitigations include: Protect mutable objects by making them private. Restrict access to the getter and setter as well.
What is the severity of CWE-607?
CWE-607 is classified as a Variant-level weakness (Low-Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.