...
This noncompliant code example accepts an untrusted parameter and creates a copy using the clone() method. This is not a good idea insecure because a copy of the attacker's class is created instead of the system class. Any input Input validation routines may not work as expected when the attacker overrides the getTime() method so that it passes validation when called for the first time, but mutates when it is used a second time. Here, the validateValue() method is required to protect insertion of time data prior to some known time but fails to achieve this purpose.
...
Using the clone() method to copy untrusted parameters can lead to result in the execution of arbitrary code.
...