CVE-2022-31139
Description
UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe. Normally, if UA is loaded as a named module, the internal data of UA is protected by JVM and others can only access UA via UA's standard API. The main application can set up SecurityCheck.AccessLimiter for UA to limit access to UA. Starting with version 1.4.0 and prior to version 1.7.0, when SecurityCheck.AccessLimiter is set up, untrusted code can access UA without limitation, even when UA is loaded as a named module. This issue does not affect those for whom SecurityCheck.AccessLimiter is not set up. Version 1.7.0 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.github.karlatemp:unsafe-accessorMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
Affected products
2- Range: >= 1.4.0, < 1.7.0
Patches
Vulnerability mechanics
References
5- github.com/Karlatemp/UnsafeAccessor/commit/4ef83000184e8f13239a1ea2847ee401d81585fdnvdPatchThird Party AdvisoryWEB
- github.com/Karlatemp/UnsafeAccessor/security/advisories/GHSA-cr6p-23cf-w9g9nvdPatchThird Party AdvisoryWEB
- github.com/Karlatemp/UnsafeAccessor/releases/tag/1.7.0nvdRelease NotesThird Party AdvisoryWEB
- github.com/advisories/GHSA-cr6p-23cf-w9g9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31139ghsaADVISORY
News mentions
0No linked articles in our index yet.