CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS
Percentile
5.1%
Because of the missing checkLink(String)
override in the SecurityManager, students can load libraries and execute arbitrary code.
Using System.load(String)
or System.loadLibrary(String)
students can load and execute arbitrary code.
private static native void start(List<String> args);
public static void main(String[] args) {
System.load(new File("path_to_lib.so").getAbsolutePath());
start(List.of(args));
}
Adding this to the security manager (and a translation) should fix the issue:
@Override
public void checkExec(String cmd) {
try {
if (enterPublicInterface())
return;
throw new SecurityException(localized("security.error_link")); //$NON-NLS-1$
} finally {
exitPublicInterface();
}
}
See details.
Arbitrary code execution.