Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
View on MITREThe purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.
Any data in a Java package can be accessed outside of the Java framework if the package is distributed.
The data in a Java class can be modified by anyone outside of the Java framework if the package is distributed.
Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.
No detection method information available for this CWE.
The following example demonstrates the weakness.
package math;public class Lebesgue implements Integration{ public final Static String youAreHidingThisFunction(functionToIntegrate){ return ...; } }CWE-487: Reliance on Package-level Scope is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.
If exploited, CWE-487 (Reliance on Package-level Scope) it can compromise Confidentiality and Integrity, leading to outcomes such as Read Application Data and Modify Application Data.
Recommended mitigations for CWE-487 include: Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.
CWE-487 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-487 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.