CVE-2020-1729 – io.smallrye.config:smallrye-config

Package

Manager: maven
Name: io.smallrye.config:smallrye-config
Vulnerable Version: >=0 <1.6.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00038 pctl0.10196

Details

Permissions bypass in SmallRye A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest threat from this vulnerability is a threat to data confidentiality. This is fixed in SmallRye 1.6.2

Metadata

Created: 2022-03-18T17:55:47Z
Modified: 2022-03-18T17:55:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-54fx-gm74-q676/GHSA-54fx-gm74-q676.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-54fx-gm74-q676
Finding: F006
Auto approve: 1