Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
No security checking for UnsafeAccess.getInstance() in UnsafeAccessor
Vulnerability Description
UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe. Normally, if UA is loaded as a named module, the internal data of UA is protected by JVM and others can only access UA via UA's standard API. The main application can set up `SecurityCheck.AccessLimiter` for UA to limit access to UA. Starting with version 1.4.0 and prior to version 1.7.0, when `SecurityCheck.AccessLimiter` is set up, untrusted code can access UA without limitation, even when UA is loaded as a named module. This issue does not affect those for whom `SecurityCheck.AccessLimiter` is not set up. Version 1.7.0 contains a patch.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
UnsafeAccessor 信息泄露漏洞
Vulnerability Description
UnsafeAccessor是微莹·纤绫(Karlatemp)个人开发者的一个不安全的访问器。用作访问 jdk.internal.misc.Unsafe & sun.misc.Unsafe 的桥梁。 UnsafeAccessor 1.4.0 到 1.7.0 版本存在信息泄露漏洞,该漏洞源于当设置了 SecurityCheck.AccessLimiter 时,不受信任的用户也可以不受限制地访问 UA。
CVSS Information
N/A
Vulnerability Type
N/A