CVE-2020-1729: Incorrect Authorization

March 18, 2022 (updated March 21, 2022)

A flaw was found in SmallRye’s API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest threat from this vulnerability is a threat to data confidentiality. This is fixed in SmallRye 1.6.2

References

bugzilla.redhat.com/show_bug.cgi?id=1802444
github.com/advisories/GHSA-54fx-gm74-q676
github.com/smallrye/smallrye-config/commit/fb0def6f61c09a2a80c9145e4ec6521225cd0b99
nvd.nist.gov/vuln/detail/CVE-2020-1729

Code Behaviors & Features

Detect and mitigate CVE-2020-1729 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →