CWE-583 - finalize() Method Declared Public
- Abstraction:Variant
- Structure:Simple
- Status:Incomplete
- Release Date:2006-12-15
- Latest Modification Date:2023-06-29
Weakness Name
finalize() Method Declared Public
Description
The product violates secure coding principles for mobile code by declaring a finalize() method public.
A product should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke a finalize() method because it is declared with public access.
Common Consequences
Scope: Confidentiality, Integrity, Availability
Impact: Alter Execution Logic, Execute Unauthorized Code or Commands, Modify Application Data
