Corgea LogoCorgea Security Hub

CWE-487: Reliance on Package-level Scope

Learn about CWE-487 (Reliance on Package-level Scope), its security impact, exploitation methods, and prevention guidelines.

What is Reliance on Package-level Scope?

• Overview: Reliance on Package-level Scope (CWE-487) is a vulnerability that occurs when developers mistakenly assume that Java package-level scope provides security, when in fact it only prevents accidental access within the same package and is not intended as a security mechanism.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by bypassing package-level access controls through techniques like reflection or by simply creating a class in the same package.
  • Common attack patterns include creating malicious classes within the same package to access or manipulate sensitive data or functions that are not intended to be exposed.

• Security Impact:

  • Direct consequences of successful exploitation include unauthorized access to sensitive methods or data within the package.
  • Potential cascading effects include data breaches, integrity violations, and unauthorized actions being performed within the application.
  • Business impact can range from loss of customer trust to legal liabilities and financial losses due to data breaches or system compromises.

• Prevention Guidelines:

  • Specific code-level fixes include using access modifiers such as 'private' or 'protected' instead of default (package-private) access for sensitive methods and data.
  • Security best practices involve adhering to the principle of least privilege, ensuring that classes and methods are not more accessible than necessary.
  • Recommended tools and frameworks include static code analysis tools to identify improper access control and security-focused code reviews to ensure best practices are followed.
Corgea can automatically detect and fix Reliance on Package-level Scope in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Medium

Affected Languages: Java

Affected Technologies: Not specified

Vulnerable Code Example

// This class relies on package-level scope to restrict access to sensitive methods.
// However, Java packages are not inherently closed, making this approach insecure.

class AccountManager { // Package-private class

    // Package-private method to change account balance
    void changeAccountBalance(String accountId, double newBalance) {
        // Logic to change account balance
    }
}

Explanation

In this example, the AccountManager class and its method changeAccountBalance are package-private (default access level), meaning they can be accessed by any class within the same package. This is insecure because any malicious code added to the package can exploit this access to modify account balances without restriction.

How to fix Reliance on Package-level Scope?

Relying on package-level (default) access control for security is a common mistake in Java because packages are not inherently closed. Any code within the same package, including malicious code, can access package-private members. To properly secure sensitive methods or data, use explicit access modifiers like private for methods or data that should not be accessed externally. If access is needed by specific classes, use protected or design patterns like accessors, interfaces, or dependency injection to control access more securely and explicitly.

Fixed Code Example

// The class now uses private access modifiers to restrict access to sensitive methods.
// Access to sensitive operations is controlled through a public method with additional checks.

public class AccountManager {

    // Private method to change account balance
    private void changeAccountBalance(String accountId, double newBalance) {
        // Logic to change account balance
    }

    // Public method to safely update balance with authorization check
    public boolean updateBalance(String accountId, double newBalance, User user) {
        if (user.isAuthorized()) { // Check if the user has appropriate permissions
            changeAccountBalance(accountId, newBalance);
            return true;
        }
        return false; // Unauthorized access, balance not changed
    }
}

Explanation

In this fixed version, the changeAccountBalance method is marked private, ensuring it cannot be accessed by any code outside of the AccountManager class. The updateBalance method is introduced as a public interface that performs necessary authorization checks before calling the private method. This approach ensures that only authorized users can change the account balance, adhering to the principle of least privilege.

By making the class public, it can be accessed by other parts of the application as needed, but the sensitive method changeAccountBalance remains protected by being private, and access is controlled through the updateBalance method with proper authorization checks.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-487: Reliance on Package-level Scope and get remediation guidance

Start for free and no credit card needed.