CVE-2022-31139: 
Java vulnerability analysis and mitigation

UnsafeAccessor (UA) is a bridge to access jdk.internal.misc.Unsafe & sun.misc.Unsafe that was found to have a security vulnerability (CVE-2022-31139) affecting versions 1.4.0 through 1.7.0. When UA is loaded as a named module, the internal data should be protected by JVM and others should only access UA via UA's standard API. The vulnerability was discovered and disclosed in July 2022 (GitHub Advisory).

The vulnerability exists in the security checking mechanism of UnsafeAccess.getInstance(). When SecurityCheck.AccessLimiter is set up, untrusted code can access UA without limitation, even when UA is loaded as a named module. This bypasses the intended security restrictions that should be enforced by the JVM to protect internal data (GitHub Release).

The vulnerability allows untrusted code to gain unauthorized access to UA's internal functionality, bypassing security restrictions that should be enforced by the JVM. This could potentially lead to unauthorized access to low-level system operations that should be restricted (GitHub Advisory).

The vulnerability was patched in version 1.7.0 of UnsafeAccessor. Users are recommended to upgrade to this version or later. The fix implements proper security checking for UnsafeAccess.getInstance(). For those who cannot upgrade immediately, it's worth noting that the vulnerability only affects systems where SecurityCheck.AccessLimiter is set up (GitHub Release).