Description
UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe. Normally, if UA is loaded as a named module, the internal data of UA is protected by JVM and others can only access UA via UA's standard API. The main application can set up `SecurityCheck.AccessLimiter` for UA to limit access to UA. Starting with version 1.4.0 and prior to version 1.7.0, when `SecurityCheck.AccessLimiter` is set up, untrusted code can access UA without limitation, even when UA is loaded as a named module. This issue does not affect those for whom `SecurityCheck.AccessLimiter` is not set up. Version 1.7.0 contains a patch.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/Karlatemp/UnsafeAccessor/security/advisories/GHSA-cr6p-23cf-w9g9
Patch, Third Party Advisory x_refsource_misc
https://github.com/Karlatemp/UnsafeAccessor/commit/4ef83000184e8f13239a1ea2847ee401d81585fd
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Karlatemp/UnsafeAccessor/releases/tag/1.7.0
Scores
CVSS v3
5.9
EPSS
0.0094
EPSS Percentile
56.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-863
Status
published
Products (2)
io.github.karlatemp/unsafe-accessor
1.4.0 - 1.7.0Maven
unsafe_accessor_project/unsafe_accessor
1.4.0 - 1.7.0
Published
Jul 11, 2022
Tracked Since
Feb 18, 2026