unsafeaccessorproject unsafe-accessor CVE-2022-31139 is a vulnerability in Unsafeaccessorproject Unsafe Accessor
Published on July 11, 2022

No security checking for UnsafeAccess.getInstance() in UnsafeAccessor
UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe. Normally, if UA is loaded as a named module, the internal data of UA is protected by JVM and others can only access UA via UA's standard API. The main application can set up `SecurityCheck.AccessLimiter` for UA to limit access to UA. Starting with version 1.4.0 and prior to version 1.7.0, when `SecurityCheck.AccessLimiter` is set up, untrusted code can access UA without limitation, even when UA is loaded as a named module. This issue does not affect those for whom `SecurityCheck.AccessLimiter` is not set up. Version 1.7.0 contains a patch.

Github Repository NVD

Vulnerability Analysis

CVE-2022-31139 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2022-31139 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2022-31139

Want to know whenever a new CVE is published for Unsafeaccessorproject Unsafe Accessor? stack.watch will email you.

Unsafeaccessorproject Unsafe Accessor
 

Affected Versions

Karlatemp UnsafeAccessor Version >= 1.4.0, < 1.7.0 is affected by CVE-2022-31139

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-31139

Package Manager Vulnerable Package Versions Fixed In
maven io.github.karlatemp:unsafe-accessor >= 1.4.0, < 1.7.0 1.7.0

Exploit Probability

EPSS
0.34%
Percentile
57.05%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.