Do you have more information about CVE-2012-3174?

While the CVE may use similar things as my solution, it is quite rare to grant untrusted code the ReflectPermission("suppressAccessChecks"), as I do in this kata.

https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/lang/reflect/ReflectPermission.html states:

suppressAccessChecks ability to suppress the standard Java language access checks on fields and methods in a class; allow access not only public members but also allow access to default (package) access, protected, and private members. This is dangerous in that information (possibly confidential) and methods normally unavailable would be accessible to malicious code.

This permission was always known as one of those that allow a fully SecurityManager bypass, if abused.

Well, I wrote this - but others did cheat and copy my solution, without understanding what is going on.
Or even changing something.

What can I say?
This kata is not easy - it requires deep knowledge on how the Java SecurityManager works - and the SecurityManager has been deprecated now for a while, so finding people with the right skillset to solve this Kata is hard.

Yes. The problem is that codewars does not allow specifiying command line arguments.

If -Djava.security.manager=allow command line arguments would be supplied, this kata could "survive" a bit longer.

Yes, Java.

There are edge cases where this doesn't work.

That's what you get when you code golf it. 176 chars.

Anyone up to beat that?

The goal of this Kurmite was to disallow the use of java.util.stream.Stream.

If you find a way to use that anyway, let me know.