Tag Archives: Reliance on Package-level Scope

CWE-487 – Reliance on Package-level Scope

Read Time:44 Second

Description

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.

Modes of Introduction:

– Implementation

 

Likelihood of Exploit: Medium

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality: Read Application Data

Any data in a Java package can be accessed outside of the Java framework if the package is distributed.

Integrity: Modify Application Data

The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.

 

Potential Mitigations

Phase: Architecture and Design, Implementation

Description: 

Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.

CVE References