CWE-487: Reliance on Package-level Scope

BaseIncompleteExploit Likelihood: Medium

Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.

View on MITRE
Back to CWE Lookup

Extended Description

The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Java
Platforms

Frequently Asked Questions

What is CWE-487: Reliance on Package-level Scope?+

CWE-487: Reliance on Package-level Scope is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Java packages are not inherently closed; therefore, relying on them for code security is not a good practice. The purpose of package scope is to prevent accidental access by other parts of a program. This is an ease-of-software-development feature but not a security feature.

What are the security consequences of Reliance on Package-level Scope?+

If exploited, CWE-487 (Reliance on Package-level Scope) it can compromise Confidentiality and Integrity, leading to outcomes such as Read Application Data and Modify Application Data.

How do you prevent or mitigate Reliance on Package-level Scope?+

Recommended mitigations for CWE-487 include: Data should be private static and final whenever possible. This will assure that your code is protected by instantiating early, preventing access and tampering.

Which programming languages are affected by Reliance on Package-level Scope?+

CWE-487 commonly affects Java. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-487 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More