Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: changed NCE var names to match the described vuln in Jetty

...

The class object being synchronized must not be accessible to hostile code. If the class is package-private, then external packages may not access the Class object, ensuring its trustworthiness as an intrinsic lock object. For more information, see CON04-J. Use the private lock object idiom instead of the Class object's intrinsic locking mechanismlock.

Compliant Solution (Class.forName())

...