Vulnerabilities |
55 via 56 paths |
---|---|
Dependencies |
19 |
Source |
Docker |
Target OS |
alpine:3.8.1 |
critical severity
- Vulnerable module: musl/musl
- Introduced through: musl/musl@1.1.19-r10 and musl/musl-utils@1.1.19-r10
- Fixed in: 1.1.19-r11
Detailed paths
-
Introduced through: azul/zulu-openjdk-alpine@6u119-6.22.0.3 › musl/musl@1.1.19-r10
-
Introduced through: azul/zulu-openjdk-alpine@6u119-6.22.0.3 › musl/musl-utils@1.1.19-r10
NVD Description
Note: Versions mentioned in the description apply only to the upstream musl
package and not the musl
package as distributed by Alpine
.
See How to fix?
for Alpine:3.8
relevant fixed versions and status.
musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.
Remediation
Upgrade Alpine:3.8
musl
to version 1.1.19-r11 or higher.
References
critical severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
It allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT.
Remediation
Upgrade openjdk-jre
to version 7.0.1 or higher.
References
high severity
- Vulnerable module: wget/wget
- Introduced through: wget/wget@1.19.5-r0
- Fixed in: 1.20.1-r0
Detailed paths
-
Introduced through: azul/zulu-openjdk-alpine@6u119-6.22.0.3 › wget/wget@1.19.5-r0
NVD Description
Note: Versions mentioned in the description apply only to the upstream wget
package and not the wget
package as distributed by Alpine
.
See How to fix?
for Alpine:3.8
relevant fixed versions and status.
set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.
Remediation
Upgrade Alpine:3.8
wget
to version 1.20.1-r0 or higher.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20483
- https://security-tracker.debian.org/tracker/CVE-2018-20483
- https://security.gentoo.org/glsa/201903-08
- http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS
- https://twitter.com/marcan42/status/1077676739877232640
- https://security.netapp.com/advisory/ntap-20190321-0002/
- https://access.redhat.com/errata/RHSA-2019:3701
- http://www.securityfocus.com/bid/106358
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2018-20483
- https://usn.ubuntu.com/3943-1/
high severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Access Restriction Bypass by an unauthenticated attacker with network access via multiple protocols. This is due to incorrect implementation of the ECDSA cryptographic signature in Java. Exploiting this vulnerability results in unauthorized creation, deletion, or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Notes:
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.
Remediation
Upgrade openjdk-jre
to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.
References
high severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Information Exposure by allowing unauthenticated attackers with network access via multiple protocols to access critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs through a web service that supplies data to the APIs.
Remediation
Upgrade openjdk-jre
to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.
References
high severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Sandbox Bypass. A flaw was found in the way the Hotspot
component of OpenJDK performed range check elimination. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Remediation
Upgrade openjdk-jre
to version 8.0.301, 11.0.12, 16.0.2 or higher.
References
high severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Covert Timing Channel in the security-libs/java.security
component. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Remediation
Upgrade openjdk-jre
to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.
References
high severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Privilege Management in the hotspot/compiler
component.
Note This is only exploitable if the attacker utilizes APIs in the specified component, such as through a web service that provides data to the APIs. Additionally, the vulnerability affects Java deployments that execute untrusted code, relying on the Java sandbox for security.
Remediation
Upgrade openjdk-jre
to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Access Restriction Bypass via incorrect principal selection when using Kerberos Constrained Delegation result in unauthorized access to critical data or complete access to all GraalVM accessible data.
Remediation
Upgrade openjdk-jre
to version 7.0.321, 8.0.311, 11.0.13, 17.0.1 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
It allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
Remediation
Upgrade openjdk-jre
to version 7.0.55, 8.0.5 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Access Control due to improper access restriction of the MethodHandle.invokeBasic
method of the Hotspot
component.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.
Remediation
Upgrade openjdk-jre
to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Input Validation due to a range check loop optimization issue in the hotspot/compiler
component. An attacker can obtain sensitive information without authorization by exploiting the improper input validation.
Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
Remediation
Upgrade openjdk-jre
to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Input Validation due to a flaw in the JVM class file verifier in the hotspot/runtime
component. An attacker can execute unverified bytecode by crafting a malicious input that bypasses the verification process.
Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Remediation
Upgrade openjdk-jre
to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Information Exposure in the core-libs/javax.script
component.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Remediation
Upgrade openjdk-jre
to version 8.0.401, 11.0.22 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling the implementation of the IdentityHashMap
class doesn't properly validate the value of its size attribute when creating object instances from a serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. A flaw was found in the way the BMPImageReader
class implementation in the ImageIO
performs memory allocations when reading palette information from BMP
images. A specially-crafted BMP file could cause a Java application to consume an excessive amount of memory when opened.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. A flaw was found in the way the Attributes
class in the Libraries
component performs reading of attributes with very long values from the JAR
file manifests. A specially-crafted JAR archive could cause a Java application reading its manifest to use an excessive amount of system resources and hang.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when HttpServer
has no connection count limit. Exploiting this vulnerability allows unauthenticated attackers with network access via HTTP protocol to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
Remediation
Upgrade openjdk-jre
to version 8.0.351, 11.0.17, 17.0.5, 19.0.1 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Denial of Service (DoS) by allowing unauthenticated users with network access to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition via multiple protocols.
Note: This issue is reported to only affect Java running on Solaris platform and is not believed to be applicable to other platforms.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Denial of Service (DoS) by allowing unauthenticated attackers with network access via multiple protocols to compromise the application.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs through a web service that supplies data to the APIs.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade openjdk-jre
to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Denial of Service (DoS) due to the computeNextExponential
method of the Libraries
component failing to comply with the documentation, returning sometimes negative numbers.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade openjdk-jre
to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Denial of Service (DoS) due to excessive memory allocation in X.509 certificate parsing (Security, 8286533). Exploiting this vulnerability allows unauthenticated attackers with network access via HTTPS to cause a partial denial of service of Oracle Java SE, Oracle GraalVM Enterprise Edition.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade openjdk-jre
to version 8.0.351, 11.0.17 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Denial of Service (DoS) in security-libs/javax.net.ssl
, when running untrusted code.
Remediation
Upgrade openjdk-jre
to version 8.0.391, 11.0.21, 17.0.9, 21.0.1 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Access Control. It allows unauthenticated attacker with network access via TLS to compromise Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service.
Remediation
Upgrade openjdk-jre
to version 7.0.321, 8.0.311, 11.0.13, 17.0.1 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Access Control via the CORBA
component.
Note: This is only exploitable if data is supplied to APIs without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.
Remediation
Upgrade openjdk-jre
to version 8.0.391 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Input Validation. It was discovered that the StringBuffer
and StringBuilder
classes implementation in the Libraries component failed to properly validate the value of the count attribute during object deserialization. A specially-crafted input could cause a Java application to misbehave because of StringBuffer
or StringBuilder
object instances in an inconsistent state.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Input Validation. The ObjectInputStream
class implementation in the Serialization
component doesn't sufficiently validate data read from the input serialized stream when reading serialized exceptions. A specially-crafted serialized stream could use this flaw to bypass certain deserialization restrictions (defined via jdk.serialFilter
system or security property).
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Input Validation by allowing unauthenticated malicious actors to update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs through a web service that supplies data to the APIs.
Remediation
Upgrade openjdk-jre
to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Infinite loop. A flaw was found in the way the XMLEntityScanner
and XML11EntityScanner
classes in the JAXP
component handles and normalized newlines in XML entities. A specially-crafted XML document could cause a Java application to enter an infinite loop when parsed.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Information Exposure. TransformerImpl
class implementation in the JAXP
component did not properly check access restrictions when performing URI resolution. This could possibly lead to information disclosure when performing XSLT transformations.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Information Exposure. The XMLEntityManager
class implementation in the JAXP
component doesn't properly perform access checks. A Java application using a SAX XML
parser in certain configurations could be tricked into disclosing information when parsing a specially-crafted XML file.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Information Exposure due to a class compilation issue in the Hotspot
component.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.
Remediation
Upgrade openjdk-jre
to version 7.0.351, 8.0.342, 11.0.16, 17.0.4, 18.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Integer Overflow or Wraparound. A flaw was found in the BMPImageReader
class implementation in the ImageIO component, which allows a specially-crafted BMP image to bypass previously applied protection and cause a Java application to allocate an excessive amount of memory when opened.
Note:
this is due to an incomplete fix for CVE-2021-35586.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Integer Overflow or Wraparound. A flaw was found in the way the Hotspot
component of OpenJDK handled array indexes on 64-bit x86 platform. A large index could trigger a displacement overflow in LIRGenerator::emit_array_address
, possibly leading to access at an invalid array position.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Out-of-bounds Write. A flaw was found in the way the Hotspot component of OpenJDK processed classes with _fields that needed to be written to in Rewriter::scan_method()
.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Unsafe Reflection via improper object-to-string conversion in AnnotationInvocationHandler
.
Remediation
Upgrade openjdk-jre
to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the security-libs/javax.xml.crypto
component. An attacker with local access could access private keys.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Remediation
Upgrade openjdk-jre
to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Validation. A flaw was found in the way the FtpClient implementation in the Networking component of OpenJDK handled responses to the FTP PASV command. A malicious FTP server could cause a Java application using FtpClient to connect to a host and port that is not accessible from the FTP server and perform port scanning or banner extraction.
Remediation
Upgrade openjdk-jre
to version 7.0.311, 8.0.301, 11.0.12, 16.0.2 or higher.
References
medium severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Signature Validation Bypass. A flaw was found in the way the Library
component of OpenJDK handled JAR files containing multiple MANIFEST.MF
files. Such JAR files could cause signature verification process to return an incorrect result, possibly allowing tampering with signed JAR files.
Remediation
Upgrade openjdk-jre
to version 7.0.311, 8.0.301, 11.0.12, 16.0.2 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Denial of Service (DoS) via the JNDI component. This allows an unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade openjdk-jre
to version 7.0.311 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing checks for negative ObjectIdentifier
. exploiting this vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade openjdk-jre
to version 7.0.341, 8.0.331, 11.0.15, 17.0.3, 18.0.1 or higher.
References
low severity
new
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Denial of Service (DoS) in the hotspot/runtime
component.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
ws
package
Remediation
Upgrade openjdk-jre
to version 8.0.411, 11.0.23, 17.0.11, 21.0.3, 22.0.1 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Deserialization of Untrusted Data the ObjectInputStream
class implementation in the Serialization
component did not check superclasses against the deserialization filter (defined via jdk.serialFilter
system or security property) in cases when those classes were available locally and not included in the serialized stream. A specially-crafted serialized stream could possibly use this flaw to bypass class deserialization restrictions.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
References
low severity
new
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Access Control in the hotspot/compiler
component. An attacker can compromise data integrity.
Remediation
Upgrade openjdk-jre
to version 8.0.411, 11.0.23, 17.0.11, 21.0.3, 22.0.1 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Insecure Randomness due to insufficient randomization of JNDI DNS port numbers. Successful attacks of this vulnerability can result in unauthorized update, insert, or deletion access to some accessible data.
Remediation
Upgrade openjdk-jre
to version 8.0.351, 11.0.17, 17.0.5, 19.0.1 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to improper handling of long NTLM client hostnames. Exploiting this vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE, and Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert, or deletion access to some accessible data. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service that supplies data to the APIs.
Note This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
Remediation
Upgrade openjdk-jre
to version 8.0.351, 11.0.17, 17.0.5, 19.0.1 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Timing Attack. It was discovered that the TLS implementation in the JSSE component of OpenJDK used non-constant comparisons when checking various data (such as session identifiers or verification data blocks) during TLS handshakes. A malicious TLS client could possibly use this flaw to recover that data by observing timing differences in processing of various inputs.
Remediation
Upgrade openjdk-jre
to version 7.0.321, 8.0.311, 11.0.13, 17.0.1 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Timing Attack. Timing attacks are possible in implementations of ECDSA/EdDSA
in cryptographic software libraries which allows for practical recovery of the long-term private key. This is possible in implementations which leak the bit-length of the scalar during scalar multiplication on an elliptic curve. This leakage might seem minuscule as the bit-length presents a very small amount of information present in the scalar. However, in the case of ECDSA/EdDSA signature generation, the leaked bit-length of the random nonce is enough for full recovery of the private key used after observing a few hundreds to a few thousands of signatures on known messages, due to the application of lattice techniques.
Remediation
Upgrade openjdk-jre
to version 8.0.232, 11.0.5 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Access Control Bypass in the JavaFX media component, when running untrusted code.
Remediation
Upgrade openjdk-jre
to version 8.0.401 or higher.
References
low severity
new
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Access Control through the JavaFX component. An attacker can compromise Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data by exploiting this vulnerability with network access via multiple protocols.
Note
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Remediation
Upgrade openjdk-jre
to version 8.0.411 or higher.
References
low severity
new
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Access Control through the JavaFX component. An attacker can compromise accessible data by exploiting this vulnerability with network access via multiple protocols.
Note
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Remediation
Upgrade openjdk-jre
to version 8.0.411 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Information Exposure via the JavaFX component, when running untrusted code.
Remediation
Upgrade openjdk-jre
to version 8.0.401 or higher.
References
low severity
new
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Access Control through to the JavaFX component. An attacker can compromise the integrity of data by exploiting this vulnerability by logging into the infrastructure where the application executes.
Note
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Remediation
Upgrade openjdk-jre
to version 8.0.411, 17.0.11, 21.0.3, 22.0.1 or higher.
References
low severity
new
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Access Control through to the JavaFX component. An attacker can compromise the integrity of data by exploiting this vulnerability by logging into the infrastructure where the application executes.
Note This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Remediation
Upgrade openjdk-jre
to version 8.0.411, 17.0.11, 21.0.3, 22.0.1 or higher.
References
low severity
- Vulnerable module: openjdk-jre
- Introduced through: openjdk-jre@1.6.0-119-b119
Detailed paths
-
Introduced through: docker-image|azul/zulu-openjdk-alpine@6u119-6.22.0.3 › openjdk-jre@1.6.0-119-b119
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Improper Privilege Management via the JavaFX
component.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
Remediation
Upgrade openjdk-jre
to version 8.0.401, 11.0.22, 17.0.10, 21.0.2 or higher.