Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-580:clone() Method Without super.clone()
Weakness ID:580
Version:v4.17
Weakness Name:clone() Method Without super.clone()
Vulnerability Mapping:Allowed
Abstraction:Variant
Structure:Simple
Status:Draft
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The product contains a clone() method that does not call super.clone() to obtain the new object.

▼Extended Description

All implementations of clone() should obtain the new object by calling super.clone(). If a class does not follow this convention, a subclass's clone() method will return an object of the wrong type.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfDiscouragedP664Improper Control of a Resource Through its Lifetime
ChildOfAllowed-with-ReviewC573Improper Following of Specification by Caller
Nature: ChildOf
Mapping: Discouraged
Type: Pillar
ID: 664
Name: Improper Control of a Resource Through its Lifetime
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 573
Name: Improper Following of Specification by Caller
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC265Privilege Issues
MemberOfProhibitedC1002SFP Secondary Cluster: Unexpected Entry Points
MemberOfProhibitedC1416Comprehensive Categorization: Resource Lifecycle Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 265
Name: Privilege Issues
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1002
Name: SFP Secondary Cluster: Unexpected Entry Points
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1416
Name: Comprehensive Categorization: Resource Lifecycle Management
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-315Unexpected State (impact)
MemberOfProhibitedBSBOSS-325Quality Degradation (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-315
Name: Unexpected State (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-325
Name: Quality Degradation (impact)
▼Relevant To View
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC1002SFP Secondary Cluster: Unexpected Entry Points
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1002
Name: SFP Secondary Cluster: Unexpected Entry Points
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC265Privilege Issues
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 265
Name: Privilege Issues
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
IntegrityOtherN/AUnexpected StateQuality Degradation
N/A
Scope: Integrity, Other
Likelihood: N/A
Impact: Unexpected State, Quality Degradation
Note:
N/A
▼Potential Mitigations
Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

Call super.clone() within your clone() method, when obtaining a new object.

Note:

Phase:Implementation
Mitigation ID:
Strategy:
Effectiveness:
Description:

In some cases, you can eliminate the clone method altogether and use copy constructors.

Note:

▼Modes Of Introduction
Phase: Implementation
Note:

N/A

▼Applicable Platforms
Languages
Class: Java(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

The following two classes demonstrate a bug introduced by not calling super.clone(). Because of the way Kibitzer implements clone(), FancyKibitzer's clone method will return an object of type Kibitzer instead of FancyKibitzer.

Language: ( code)
N/A

Language: Java(Bad code)
public class Kibitzer { public Object clone() throws CloneNotSupportedException { Object returnMe = new Kibitzer(); ... } } public class FancyKibitzer extends Kibitzer{ public Object clone() throws CloneNotSupportedException { Object returnMe = super.clone(); ... } }

▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      Automated Static Analysis
      Detection Method ID:DM-14
      Description:

      Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      Software Fault PatternsSFP28N/AUnexpected access points
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP28
      Fit: N/A
      Entry Name: Unexpected access points
      ▼Related Attack Patterns
      IDName
      ▼References
      Details not found