...
Improper use of public static fields can also result in type-safety issues. For example, untrusted code can supply an unexpected subtype with malicious methods when the variable is defined to be of a more general type, such as java.lang.Object [Gong 2003]. As a result, classes must not contain nonfinal public static fields.
...
This noncompliant code example is adopted from JDK v1.4.2 [FT 2008]. It declares a function table containing a public static field.
...
Unauthorized modifications of public static variables can result in unexpected behavior and violation of class invariants. Furthermore, because static variables can be visible to code loaded by different class loaders when those class loaders are in the same delegation chain, such variables can be used as a covert communication channel between different application domains.
...
CWE-493. Critical public variable without final modifier | |
| CWE-500. Public static field not marked final |
Secure Coding Guidelines for the Java Programming Language, Version 3.0 | Guideline 3-1. Treat public static fields as constants |
Bibliography
[FT 2008] | Function Table, Class Function Table |
9.3, Static Fields | |
Antipattern 5, Misusing Public Static Variables | |
Antipattern 5, Misusing Public Static Variables |
...