Integer Overflow

Affecting openjdk-jre package, versions [1.7.0,1.7.0_281) || [1.8.0,1.8.0_271) || [11.0.0,11.0.9) || [15.0.0,15.0.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Integer Overflow. It was discovered that the Hotspot component of OpenJDK did not properly check for integer overflows when when optimizing code, leading to out-of-bounds access. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.

Remediation

Upgrade openjdk-jre to version 7.0.281, 8.0.271, 11.0.9, 15.0.1 or higher.

References

CVSS Score

4.2
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Credit
Zhiqiang Zang of University of Texas at Austin
CVE
CVE-2020-14792
CWE
CWE-190
Snyk ID
SNYK-UPSTREAM-OPENJDKJRE-1020120
Disclosed
20 Oct, 2020
Published
21 Oct, 2020