Improper Input Validation

Affecting openjdk-jre package, versions [1.7.0,1.7.0_281) || [1.8.0,1.8.0_271) || [11.0.0,11.0.9) || [15.0.0,15.0.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to Improper Input Validation. It was discovered that the UnixUriUtils class in the Libraries component of OpenJDK did not properly check for invalid characters when performing URI to Path conversion. This could lead to creating Path objects with invalid paths.

Remediation

Upgrade openjdk-jre to version 7.0.281, 8.0.271, 11.0.9, 15.0.1 or higher.

References

CVSS Score

3.7
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Credit
Markus Loewe
CVE
CVE-2020-14797
CWE
CWE-20
Snyk ID
SNYK-UPSTREAM-OPENJDKJRE-1020124
Disclosed
20 Oct, 2020
Published
21 Oct, 2020