CWE-583: finalize() Method Declared Public
ID
CWE-583
Abstraction
Variant
Structure
Simple
Status
Incomplete
The product violates secure coding principles for mobile code by declaring a finalize() method public.
A product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.
Modes of Introduction
Phase | Note |
---|---|
Implementation |
Applicable Platforms
Type | Class | Name | Prevalence |
---|---|---|---|
Language | Java |
Loading...