5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-31139

GHSA ID

GHSA-cr6p-23cf-w9g9

EPSS Score

0.3169%

CWE

CWE-200

Published

7/12/2022

Updated

7/24/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31139

CVE-2022-31139: UnsafeAccessor 1.4.0 until 1.7.0 has no security checking for UnsafeAccess.getInstance()

Overview

Affected versions have no limit to using unsafe-accessor. Can be ignored if SecurityCheck.AccessLimiter not setup

Details

If UA was loaded as a named module, the internal data of UA will be protected by JVM and others can only access UA via UA's standard api. Main application can setup SecurityCheck.AccessLimiter for UA to limit accesses to UA. Untrusted code can access UA without lmitation in affected versions even UA was loaded as a named module.

References

The commit to fix

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-31139

CVE-2022-31139:

5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-31139

GHSA ID

GHSA-cr6p-23cf-w9g9

EPSS Score

0.3169%

CWE

CWE-200

Published

7/12/2022

Updated

7/24/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.github.karlatemp:unsafe-accessor	maven	>= 1.4.0, < 1.7.0	1.7.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing security checks in the getInstance() method. The commit diff shows the patched version added a critical SecurityCheck.AccessLimiter check that was absent in vulnerable versions. The original implementation only called SecurityCheck.getInstance() without verifying the limiter, making it the root cause of unauthorized access. The CWE-863 (Incorrect Authorization) directly maps to this missing authorization check in the function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31139: UnsafeAccessor 1.4.0 until 1.7.0 has no security checking for UnsafeAccess.getInstance()

Overview

Details

References

CVE-2022-31139:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2022-31139: UnsafeAccessor 1.4.0 until 1.7.0 has no security checking for UnsafeAccess.getInstance()

Overview

Details

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.9

5.9

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI