Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01NGZ4LWdtNzQtcTY3Ns00HQ

Permissions bypass in SmallRye

A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest threat from this vulnerability is a threat to data confidentiality. This is fixed in SmallRye 1.6.2

Permalink: https://github.com/advisories/GHSA-54fx-gm74-q676
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NGZ4LWdtNzQtcTY3Ns00HQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago

CVSS Score: 4.0
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

Identifiers: GHSA-54fx-gm74-q676, CVE-2020-1729
References:

Repository: https://github.com/smallrye/smallrye-config
Blast Radius: 10.0

Affected Packages

maven:io.smallrye.config:smallrye-config

Dependent packages: 199
Dependent repositories: 315
Downloads:
Affected Version Ranges: < 1.6.2
Fixed in: 1.6.2
All affected versions: 1.5.0, 1.5.1, 1.6.0, 1.6.1
All unaffected versions: 1.6.2, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.12.0, 1.13.0, 1.13.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.8.1