CWE-498: Cloneable Class Containing Sensitive Information
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.
扩展描述
Cloneable classes are effectively open classes, since data cannot be hidden in them. Classes that do not explicitly deny cloning can be cloned by any other class without running the constructor.
常见后果
影响范围: Access Control
技术影响: Bypass Protection Mechanism
说明: A class that can be cloned can be produced without executing the constructor. This is dangerous since the constructor may perform security-related checks. By allowing the object to be cloned, those checks may be bypassed.
潜在缓解措施
阶段: Implementation
描述: If you do make your classes clonable, ensure that your clone method is final and throw super.clone().
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Information leak through class cloning | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | OBJ07-J | Sensitive classes must not let themselves be copied | - |
| Software Fault Patterns | SFP23 | Exposed Data | - |