Vulnerabilities

108 via 277 paths

Dependencies

55

Source

Group 6 Copy Created with Sketch. Docker

Target OS

alpine:3.8.1
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 7
  • 16
  • 45
  • 40
Status
  • 108
  • 0
  • 0

critical severity

Out-of-bounds Write

  • Vulnerable module: bzip2/libbz2
  • Introduced through: bzip2/libbz2@1.0.6-r6
  • Fixed in: 1.0.6-r7

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine bzip2/libbz2@1.0.6-r6

NVD Description

Note: Versions mentioned in the description apply only to the upstream bzip2 package and not the bzip2 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

Remediation

Upgrade Alpine:3.8 bzip2 to version 1.0.6-r7 or higher.

References

critical severity

Off-by-one Error

  • Vulnerable module: libx11/libx11
  • Introduced through: libx11/libx11@1.6.5-r1
  • Fixed in: 1.6.6-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libx11/libx11@1.6.5-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libx11 package and not the libx11 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.

Remediation

Upgrade Alpine:3.8 libx11 to version 1.6.6-r0 or higher.

References

critical severity

Out-of-bounds Write

  • Vulnerable module: libx11/libx11
  • Introduced through: libx11/libx11@1.6.5-r1
  • Fixed in: 1.6.6-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libx11/libx11@1.6.5-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libx11 package and not the libx11 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c interprets a variable as signed instead of unsigned, resulting in an out-of-bounds write (of up to 128 bytes), leading to DoS or remote code execution.

Remediation

Upgrade Alpine:3.8 libx11 to version 1.6.6-r0 or higher.

References

critical severity

Out-of-bounds Write

  • Vulnerable module: musl/musl
  • Introduced through: musl/musl@1.1.19-r10 and musl/musl-utils@1.1.19-r10
  • Fixed in: 1.1.19-r11

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine musl/musl@1.1.19-r10
  • Introduced through: boxfuse/flyway@5.2.0-alpine musl/musl-utils@1.1.19-r10

NVD Description

Note: Versions mentioned in the description apply only to the upstream musl package and not the musl package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.

Remediation

Upgrade Alpine:3.8 musl to version 1.1.19-r11 or higher.

References

critical severity

Out-of-bounds Read

  • Vulnerable module: sqlite/sqlite-libs
  • Introduced through: sqlite/sqlite-libs@3.24.0-r0
  • Fixed in: 3.25.3-r1

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine sqlite/sqlite-libs@3.24.0-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite package and not the sqlite package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

Remediation

Upgrade Alpine:3.8 sqlite to version 3.25.3-r1 or higher.

References

critical severity

CVE-2018-2938

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.181.13-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Java DB). Supported versions that are affected are Java SE: 6u191, 7u181 and 8u172. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. While the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVE-2018-2938 addresses CVE-2018-1313. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.181.13-r0 or higher.

References

critical severity

CVE-2018-3183

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.191.12-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Scripting). Supported versions that are affected are Java SE: 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.191.12-r0 or higher.

References

high severity

Out-of-bounds Write

  • Vulnerable module: libpng/libpng
  • Introduced through: libpng/libpng@1.6.34-r1
  • Fixed in: 1.6.37-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libpng/libpng@1.6.34-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

An issue has been found in third-party PNM decoding associated with libpng 1.6.35. It is a stack-based buffer overflow in the function get_token in pnm2png.c in pnm2png.

Remediation

Upgrade Alpine:3.8 libpng to version 1.6.37-r0 or higher.

References

high severity

CVE-2018-3149

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.191.12-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JNDI). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.191.12-r0 or higher.

References

high severity

CVE-2018-3169

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.191.12-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.191.12-r0 or higher.

References

high severity

CVE-2020-14583

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

high severity

CVE-2020-2803

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

high severity

CVE-2020-2805

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

high severity

CVE-2019-2698

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.212.04-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.212.04-r0 or higher.

References

high severity

CVE-2020-2604

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.242.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.242.08-r0 or higher.

References

high severity

Integer Overflow or Wraparound

  • Vulnerable module: sqlite/sqlite-libs
  • Introduced through: sqlite/sqlite-libs@3.24.0-r0
  • Fixed in: 3.25.3-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine sqlite/sqlite-libs@3.24.0-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite package and not the sqlite package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.

Remediation

Upgrade Alpine:3.8 sqlite to version 3.25.3-r0 or higher.

References

high severity

Out-of-bounds Write

  • Vulnerable module: libjpeg-turbo/libjpeg-turbo
  • Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.3-r1
  • Fixed in: 1.5.3-r6

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libjpeg-turbo/libjpeg-turbo@1.5.3-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-120551338

Remediation

Upgrade Alpine:3.8 libjpeg-turbo to version 1.5.3-r6 or higher.

References

high severity

Excessive Iteration

  • Vulnerable module: libjpeg-turbo/libjpeg-turbo
  • Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.3-r1
  • Fixed in: 1.5.3-r3

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libjpeg-turbo/libjpeg-turbo@1.5.3-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles EOF.

Remediation

Upgrade Alpine:3.8 libjpeg-turbo to version 1.5.3-r3 or higher.

References

high severity

Improper Input Validation

  • Vulnerable module: libx11/libx11
  • Introduced through: libx11/libx11@1.6.5-r1
  • Fixed in: 1.6.6-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libx11/libx11@1.6.5-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libx11 package and not the libx11 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

An issue was discovered in XListExtensions in ListExt.c in libX11 through 1.6.5. A malicious server can send a reply in which the first string overflows, causing a variable to be set to NULL that will be freed later on, leading to DoS (segmentation fault).

Remediation

Upgrade Alpine:3.8 libx11 to version 1.6.6-r0 or higher.

References

high severity

Resource Exhaustion

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.212.04-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.212.04-r0 or higher.

References

high severity

CVE-2019-19244

  • Vulnerable module: sqlite/sqlite-libs
  • Introduced through: sqlite/sqlite-libs@3.24.0-r0
  • Fixed in: 3.25.3-r3

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine sqlite/sqlite-libs@3.24.0-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite package and not the sqlite package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.

Remediation

Upgrade Alpine:3.8 sqlite to version 3.25.3-r3 or higher.

References

high severity

Improper Initialization

  • Vulnerable module: sqlite/sqlite-libs
  • Introduced through: sqlite/sqlite-libs@3.24.0-r0
  • Fixed in: 3.25.0-r4

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine sqlite/sqlite-libs@3.24.0-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite package and not the sqlite package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

SQLite through 3.31.1 allows attackers to cause a denial of service (segmentation fault) via a malformed window-function query because the AggInfo object's initialization is mishandled.

Remediation

Upgrade Alpine:3.8 sqlite to version 3.25.0-r4 or higher.

References

high severity

CVE-2020-14593

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

medium severity

CVE-2019-2949

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Kerberos). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

medium severity

CVE-2019-2989

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 6.8 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

medium severity

CVE-2020-2601

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.242.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.242.08-r0 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: e2fsprogs/libcom_err
  • Introduced through: e2fsprogs/libcom_err@1.44.2-r0
  • Fixed in: 1.44.2-r1

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine e2fsprogs/libcom_err@1.44.2-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream e2fsprogs package and not the e2fsprogs package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Remediation

Upgrade Alpine:3.8 e2fsprogs to version 1.44.2-r1 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: e2fsprogs/libcom_err
  • Introduced through: e2fsprogs/libcom_err@1.44.2-r0
  • Fixed in: 1.44.2-r2

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine e2fsprogs/libcom_err@1.44.2-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream e2fsprogs package and not the e2fsprogs package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.

Remediation

Upgrade Alpine:3.8 e2fsprogs to version 1.44.2-r2 or higher.

References

medium severity

Divide By Zero

  • Vulnerable module: libjpeg-turbo/libjpeg-turbo
  • Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.3-r1
  • Fixed in: 1.5.3-r2

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libjpeg-turbo/libjpeg-turbo@1.5.3-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted BMP image.

Remediation

Upgrade Alpine:3.8 libjpeg-turbo to version 1.5.3-r2 or higher.

References

medium severity

Out-of-bounds Read

  • Vulnerable module: libjpeg-turbo/libjpeg-turbo
  • Introduced through: libjpeg-turbo/libjpeg-turbo@1.5.3-r1
  • Fixed in: 1.5.3-r5

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libjpeg-turbo/libjpeg-turbo@1.5.3-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG through 3.3.1 allows attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted 8-bit BMP in which one or more of the color indices is out of range for the number of palette entries.

Remediation

Upgrade Alpine:3.8 libjpeg-turbo to version 1.5.3-r5 or higher.

References

medium severity

CVE-2018-14048

  • Vulnerable module: libpng/libpng
  • Introduced through: libpng/libpng@1.6.34-r1
  • Fixed in: 1.6.37-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libpng/libpng@1.6.34-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

An issue has been found in libpng 1.6.34. It is a SEGV in the function png_free_data in png.c, related to the recommended error handling for png_read_image.

Remediation

Upgrade Alpine:3.8 libpng to version 1.6.37-r0 or higher.

References

medium severity

Divide By Zero

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.191.12-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

In libpng 1.6.34, a wrong calculation of row_factor in the png_check_chunk_length function (pngrutil.c) may trigger an integer overflow and resultant divide-by-zero while processing a crafted PNG file, leading to a denial of service.

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.191.12-r0 or higher.

References

medium severity

Divide By Zero

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.201.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

An issue was discovered in libjpeg 9a and 9d. The alloc_sarray function in jmemmgr.c allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted file.

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.201.08-r0 or higher.

References

medium severity

Divide By Zero

  • Vulnerable module: sqlite/sqlite-libs
  • Introduced through: sqlite/sqlite-libs@3.24.0-r0
  • Fixed in: 3.25.3-r2

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine sqlite/sqlite-libs@3.24.0-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite package and not the sqlite package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."

Remediation

Upgrade Alpine:3.8 sqlite to version 3.25.3-r2 or higher.

References

medium severity

PRNG Seed Error

  • Vulnerable module: nss/nss
  • Introduced through: nss/nss@3.36.1-r0
  • Fixed in: 3.36.1-r1

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine nss/nss@3.36.1-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss package and not the nss package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

Remediation

Upgrade Alpine:3.8 nss to version 3.36.1-r1 or higher.

References

medium severity

CVE-2018-2973

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.181.13-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.181.13-r0 or higher.

References

medium severity

CVE-2019-2684

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.212.04-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.212.04-r0 or higher.

References

medium severity

CVE-2019-2958

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: openssl/libcrypto1.0
  • Introduced through: openssl/libcrypto1.0@1.0.2p-r0, openssl/libssl1.0@1.0.2p-r0 and others
  • Fixed in: 1.0.2r-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libcrypto1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libssl1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/openssl@1.0.2p-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Remediation

Upgrade Alpine:3.8 openssl to version 1.0.2r-r0 or higher.

References

medium severity

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: openssl/libcrypto1.0
  • Introduced through: openssl/libcrypto1.0@1.0.2p-r0, openssl/libssl1.0@1.0.2p-r0 and others
  • Fixed in: 1.0.2q-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libcrypto1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libssl1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/openssl@1.0.2p-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

Remediation

Upgrade Alpine:3.8 openssl to version 1.0.2q-r0 or higher.

References

medium severity

NULL Pointer Dereference

  • Vulnerable module: sqlite/sqlite-libs
  • Introduced through: sqlite/sqlite-libs@3.24.0-r0
  • Fixed in: 3.25.3-r3

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine sqlite/sqlite-libs@3.24.0-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite package and not the sqlite package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_COLUMN case in sqlite3ExprCodeTarget in expr.c.

Remediation

Upgrade Alpine:3.8 sqlite to version 3.25.3-r3 or higher.

References

medium severity

CVE-2018-3180

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.191.12-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JSSE). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181; JRockit: R28.3.19. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded, JRockit accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded, JRockit accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.191.12-r0 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: lcms2/lcms2
  • Introduced through: lcms2/lcms2@2.9-r0
  • Fixed in: 2.9-r1

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine lcms2/lcms2@2.9-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream lcms2 package and not the lcms2 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile.

Remediation

Upgrade Alpine:3.8 lcms2 to version 2.9-r1 or higher.

References

medium severity

CVE-2018-1000654

  • Vulnerable module: libtasn1/libtasn1
  • Introduced through: libtasn1/libtasn1@4.13-r0
  • Fixed in: 4.14-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libtasn1/libtasn1@4.13-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1 package and not the libtasn1 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.

Remediation

Upgrade Alpine:3.8 libtasn1 to version 4.14-r0 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.181.13-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.181.13-r0 or higher.

References

medium severity

Out-of-bounds Write

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.191.12-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile.

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.191.12-r0 or higher.

References

medium severity

Reachable Assertion

  • Vulnerable module: krb5/krb5-libs
  • Introduced through: krb5/krb5-libs@1.15.3-r0
  • Fixed in: 1.15.4-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine krb5/krb5-libs@1.15.3-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

Remediation

Upgrade Alpine:3.8 krb5 to version 1.15.4-r0 or higher.

References

medium severity

Use After Free

  • Vulnerable module: libpng/libpng
  • Introduced through: libpng/libpng@1.6.34-r1
  • Fixed in: 1.6.37-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine libpng/libpng@1.6.34-r1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Remediation

Upgrade Alpine:3.8 libpng to version 1.6.37-r0 or higher.

References

medium severity

CVE-2018-3214

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.191.12-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Sound). Supported versions that are affected are Java SE: 6u201, 7u191 and 8u182; Java SE Embedded: 8u181; JRockit: R28.3.19. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g. through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.191.12-r0 or higher.

References

medium severity

CVE-2019-2762

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.222.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.222.10-r0 or higher.

References

medium severity

CVE-2019-2769

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.222.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.222.10-r0 or higher.

References

medium severity

CVE-2020-14621

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

medium severity

CVE-2020-14803

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

medium severity

CVE-2020-2781

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

medium severity

CVE-2020-2830

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

medium severity

Use After Free

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.222.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.222.10-r0 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: openssl/libcrypto1.0
  • Introduced through: openssl/libcrypto1.0@1.0.2p-r0, openssl/libssl1.0@1.0.2p-r0 and others
  • Fixed in: 1.0.2u-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libcrypto1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libssl1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/openssl@1.0.2p-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).

Remediation

Upgrade Alpine:3.8 openssl to version 1.0.2u-r0 or higher.

References

medium severity

CVE-2019-2745

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.222.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.222.10-r0 or higher.

References

medium severity

CVE-2019-2816

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.222.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.222.10-r0 or higher.

References

medium severity

CVE-2019-2975

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

medium severity

CVE-2020-14556

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

medium severity

CVE-2020-2593

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.242.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.242.08-r0 or higher.

References

medium severity

CVE-2020-2800

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

medium severity

CVE-2019-2999

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

medium severity

CVE-2019-1547

  • Vulnerable module: openssl/libcrypto1.0
  • Introduced through: openssl/libcrypto1.0@1.0.2p-r0, openssl/libssl1.0@1.0.2p-r0 and others
  • Fixed in: 1.0.2t-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libcrypto1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libssl1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/openssl@1.0.2p-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Remediation

Upgrade Alpine:3.8 openssl to version 1.0.2t-r0 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: openssl/libcrypto1.0
  • Introduced through: openssl/libcrypto1.0@1.0.2p-r0, openssl/libssl1.0@1.0.2p-r0 and others
  • Fixed in: 1.0.2q-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libcrypto1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libssl1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/openssl@1.0.2p-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.

Remediation

Upgrade Alpine:3.8 openssl to version 1.0.2q-r0 or higher.

References

medium severity

CVE-2018-2940

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.181.13-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.181.13-r0 or higher.

References

medium severity

CVE-2020-14792

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2018-2952

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.181.13-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are Java SE: 6u191, 7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit: R28.3.18. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.181.13-r0 or higher.

References

low severity

CVE-2019-2426

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.201.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.201.08-r0 or higher.

References

low severity

CVE-2019-2842

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.222.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JCE). The supported version that is affected is Java SE: 8u212. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.222.10-r0 or higher.

References

low severity

CVE-2019-2894

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2962

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2964

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2973

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2978

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2981

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2983

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2987

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2988

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2992

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2020-14577

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2020-14578

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2020-14579

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2020-14581

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2020-14779

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2020-14781

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2020-14782

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2020-14797

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2020-2583

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.242.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.242.08-r0 or higher.

References

low severity

CVE-2020-2590

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.242.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.242.08-r0 or higher.

References

low severity

CVE-2020-2654

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.242.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.242.08-r0 or higher.

References

low severity

CVE-2020-2659

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.242.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u241 and 8u231; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.242.08-r0 or higher.

References

low severity

CVE-2020-2754

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

low severity

CVE-2020-2755

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Scripting). Supported versions that are affected are Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

low severity

CVE-2020-2756

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

low severity

CVE-2020-2757

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

low severity

CVE-2020-2773

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.252.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.252.09-r0 or higher.

References

low severity

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: openssl/libcrypto1.0
  • Introduced through: openssl/libcrypto1.0@1.0.2p-r0, openssl/libssl1.0@1.0.2p-r0 and others
  • Fixed in: 1.0.2t-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libcrypto1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/libssl1.0@1.0.2p-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openssl/openssl@1.0.2p-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Remediation

Upgrade Alpine:3.8 openssl to version 1.0.2t-r0 or higher.

References

low severity

CVE-2018-3136

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.191.12-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.4 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.191.12-r0 or higher.

References

low severity

CVE-2019-2786

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.222.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.222.10-r0 or higher.

References

low severity

CVE-2018-3139

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.191.12-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u201, 7u191, 8u182 and 11; Java SE Embedded: 8u181. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g. code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g. code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.191.12-r0 or higher.

References

low severity

CVE-2019-2422

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.201.08-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u201, 8u192 and 11.0.1; Java SE Embedded: 8u191. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.201.08-r0 or higher.

References

low severity

CVE-2019-2766

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.222.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.222.10-r0 or higher.

References

low severity

CVE-2019-2933

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2019-2945

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.232.09-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Networking). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.232.09-r0 or higher.

References

low severity

CVE-2020-14796

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References

low severity

CVE-2020-14798

  • Vulnerable module: openjdk8/openjdk8-jre
  • Introduced through: openjdk8/openjdk8-jre@8.171.11-r0, openjdk8/openjdk8-jre-base@8.171.11-r0 and others
  • Fixed in: 8.272.10-r0

Detailed paths

  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-base@8.171.11-r0
  • Introduced through: boxfuse/flyway@5.2.0-alpine openjdk8/openjdk8-jre-lib@8.171.11-r0

NVD Description

Note: Versions mentioned in the description apply only to the upstream openjdk8 package and not the openjdk8 package as distributed by Alpine. See How to fix? for Alpine:3.8 relevant fixed versions and status.

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Remediation

Upgrade Alpine:3.8 openjdk8 to version 8.272.10-r0 or higher.

References