Information Exposure Affecting openjdk-jre package, versions [,1.7.0_331) [1.8.0,1.8.0_321) [9.0.0,11.0.14) [12.0.0,17.0.2)
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
EPSS
0.19% (56th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UPSTREAM-OPENJDKJRE-2346392
- published 19 Jan 2022
- disclosed 18 Jan 2022
- credit Dan Rabe
Introduced: 18 Jan 2022
CVE-2022-21296 Open this link in a new tabHow to fix?
Upgrade openjdk-jre
to version 7.0.331, 8.0.321, 11.0.14, 17.0.2 or higher.
Overview
openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).
Affected versions of this package are vulnerable to Information Exposure. The XMLEntityManager
class implementation in the JAXP
component doesn't properly perform access checks. A Java application using a SAX XML
parser in certain configurations could be tricked into disclosing information when parsing a specially-crafted XML file.