CVE-2022-31139
Published: 11 July 2022
Summary
CVE-2022-31139 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Unsafe Accessor Project Unsafe Accessor. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6324
Vulnerability details
UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe. Normally, if UA is loaded as a named module, the internal data of UA is protected by JVM and others can only access UA via UA's standard API. The main…
more
application can set up `SecurityCheck.AccessLimiter` for UA to limit access to UA. Starting with version 1.4.0 and prior to version 1.7.0, when `SecurityCheck.AccessLimiter` is set up, untrusted code can access UA without limitation, even when UA is loaded as a named module. This issue does not affect those for whom `SecurityCheck.AccessLimiter` is not set up. Version 1.7.0 contains a patch.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
Ensures authorization decisions for external system use are correctly implemented and enforced.
It assists users in evaluating and applying correct authorization decisions when sharing information with external partners.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Drives review and correction of flawed authorization logic applied to organizational data.
Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.
Restricts processing strictly to documented authorized uses, mitigating incorrect authorization decisions for sensitive data.
Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken.