Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jcjZwLTIzY2YtdzlnOc4AAtUM
UnsafeAccessor 1.4.0 until 1.7.0 has no security checking for UnsafeAccess.getInstance()
Overview
Affected versions have no limit to using unsafe-accessor. Can be ignored if SecurityCheck.AccessLimiter not setup
Details
If UA was loaded as a named module, the internal data of UA will be protected by JVM and others can only access UA via UA's standard api.
Main application can setup SecurityCheck.AccessLimiter for UA to limit accesses to UA.
Untrusted code can access UA without lmitation in affected versions even UA was loaded as a named module.
References
Permalink: https://github.com/advisories/GHSA-cr6p-23cf-w9g9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcjZwLTIzY2YtdzlnOc4AAtUM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 10 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-cr6p-23cf-w9g9, CVE-2022-31139
References:
- https://github.com/Karlatemp/UnsafeAccessor/security/advisories/GHSA-cr6p-23cf-w9g9
- https://nvd.nist.gov/vuln/detail/CVE-2022-31139
- https://github.com/Karlatemp/UnsafeAccessor/commit/4ef83000184e8f13239a1ea2847ee401d81585fd
- https://github.com/Karlatemp/UnsafeAccessor/releases/tag/1.7.0
- https://github.com/advisories/GHSA-cr6p-23cf-w9g9
Blast Radius: 5.3
Affected Packages
maven:io.github.karlatemp:unsafe-accessor
Dependent packages: 4Dependent repositories: 8
Downloads:
Affected Version Ranges: >= 1.4.0, < 1.7.0
Fixed in: 1.7.0
All affected versions: 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2
All unaffected versions: 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.7.0