UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe. Normally, if UA is loaded as a named module, the internal data of UA is protected by JVM and others can only access UA via UA's standard API. The main application can set up `SecurityCheck.AccessLimiter` for UA to limit access to UA. Starting with version 1.4.0 and prior to version 1.7.0, when `SecurityCheck.AccessLimiter` is set up, untrusted code can access UA without limitation, even when UA is loaded as a named module. This issue does not affect those for whom `SecurityCheck.AccessLimiter` is not set up. Version 1.7.0 contains a patch.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
| Link | Tags |
|---|---|
| https://github.com/Karlatemp/UnsafeAccessor/security/advisories/GHSA-cr6p-23cf-w9g9 | third party advisory patch |
| https://github.com/Karlatemp/UnsafeAccessor/commit/4ef83000184e8f13239a1ea2847ee401d81585fd | third party advisory patch |
| https://github.com/Karlatemp/UnsafeAccessor/releases/tag/1.7.0 | third party advisory release notes |