CVE-2022-31139

Description

### Overview Affected versions have no limit to using unsafe-accessor. Can be ignored if `SecurityCheck.AccessLimiter` not setup ### Details If UA was loaded as a named module, the internal data of UA will be protected by JVM and others can only access UA via UA's standard api. Main application can setup `SecurityCheck.AccessLimiter` for UA to limit accesses to UA. Untrusted code can access UA without lmitation in affected versions even UA was loaded as a named module. ### References [The commit to fix](https://github.com/Karlatemp/UnsafeAccessor/commit/4ef83000184e8f13239a1ea2847ee401d81585fd)

How to fix CVE-2022-31139

To remediate CVE-2022-31139, upgrade the affected package to a fixed version below.

• —upgrade to 1.7.0 or later

Is CVE-2022-31139 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 1.4.0, < 1.7.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-31139
• PATCHgithub.com/Karlatemp/UnsafeAccessor
• WEBgithub.com/Karlatemp/UnsafeAccessor/commit/4ef83000184e8f13239a1ea2847ee401d81585fd
• WEBgithub.com/Karlatemp/UnsafeAccessor/releases/tag/1.7.0