GHSA-cr6p-23cf-w9g9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cr6p-23cf-w9g9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cr6p-23cf-w9g9/GHSA-cr6p-23cf-w9g9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cr6p-23cf-w9g9
- Aliases
- Published
- 2022-07-12T22:15:53Z
- Modified
- 2024-02-16T08:19:20.597461Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- UnsafeAccessor 1.4.0 until 1.7.0 has no security checking for UnsafeAccess.getInstance()
- Details
-
Overview
Affected versions have no limit to using unsafe-accessor. Can be ignored if
SecurityCheck.AccessLimiternot setupDetails
If UA was loaded as a named module, the internal data of UA will be protected by JVM and others can only access UA via UA's standard api. Main application can setup
SecurityCheck.AccessLimiterfor UA to limit accesses to UA. Untrusted code can access UA without lmitation in affected versions even UA was loaded as a named module.References
- Database specific
{ "nvd_published_at": "2022-07-11T19:15:00Z", "cwe_ids": [ "CWE-200", "CWE-863" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-07-12T22:15:53Z" }- References
-
- https://github.com/Karlatemp/UnsafeAccessor/security/advisories/GHSA-cr6p-23cf-w9g9
- https://nvd.nist.gov/vuln/detail/CVE-2022-31139
- https://github.com/Karlatemp/UnsafeAccessor/commit/4ef83000184e8f13239a1ea2847ee401d81585fd
- https://github.com/Karlatemp/UnsafeAccessor
- https://github.com/Karlatemp/UnsafeAccessor/releases/tag/1.7.0
Affected packages
Maven / io.github.karlatemp:unsafe-accessor
Package
- Name
- io.github.karlatemp:unsafe-accessor
- View open source insights on deps.dev
- Purl
- pkg:maven/io.github.karlatemp/unsafe-accessor