CWE-487 - Reliance on Package-level Scope
- Abstraction:Base
- Structure:Simple
- Status:Incomplete
- Release Date:2006-07-19
- Latest Modification Date:2023-06-29
Weakness Name
Reliance on Package-level Scope
Description
Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.
Common Consequences
Scope: Confidentiality
Impact: Read Application Data
Notes: Any data in a Java package can be accessed outside of the Java framework if the package is distributed.
Scope: Integrity
Impact: Modify Application Data
Notes: The data in a Java class can be modified by anyone outside of the Java framework if the packages is distributed.