Insecure Permissions

Affecting openjdk-jre package, versions [1.7.0,1.7.0_281) || [1.8.0,1.8.0_271) || [11.0.0,11.0.9) || [15.0.0,15.0.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Insecure Permissions. It was discovered that the Libraries component of OpenJDK failed to perform permission check when converting file system paths to URI in UnixUriUtils and WindowsUriSupport classes. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.

Remediation

Upgrade openjdk-jre to version 7.0.281, 8.0.271, 11.0.9, 15.0.1 or higher.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Credit
Markus Loewe
CVE
CVE-2020-14796
CWE
CWE-275
Snyk ID
SNYK-UPSTREAM-OPENJDKJRE-1020123
Disclosed
20 Oct, 2020
Published
21 Oct, 2020