GHSA-cr6p-23cf-w9g9

Suggest an improvement
Source
https://github.com/advisories/GHSA-cr6p-23cf-w9g9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cr6p-23cf-w9g9/GHSA-cr6p-23cf-w9g9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cr6p-23cf-w9g9
Aliases
Published
2022-07-12T22:15:53Z
Modified
2023-11-01T04:58:58.930921Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
UnsafeAccessor 1.4.0 until 1.7.0 has no security checking for UnsafeAccess.getInstance()
Details

Overview

Affected versions have no limit to using unsafe-accessor. Can be ignored if SecurityCheck.AccessLimiter not setup

Details

If UA was loaded as a named module, the internal data of UA will be protected by JVM and others can only access UA via UA's standard api. Main application can setup SecurityCheck.AccessLimiter for UA to limit accesses to UA. Untrusted code can access UA without lmitation in affected versions even UA was loaded as a named module.

References

The commit to fix

Database specific
{
    "nvd_published_at": "2022-07-11T19:15:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-12T22:15:53Z"
}
References

Affected packages

Maven / io.github.karlatemp:unsafe-accessor

Package

Name
io.github.karlatemp:unsafe-accessor
View open source insights on deps.dev
Purl
pkg:maven/io.github.karlatemp/unsafe-accessor

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.4.0
Fixed
1.7.0

Affected versions

1.*

1.4.0
1.5.0
1.6.0
1.6.1
1.6.2