NULL pointer dereference

Affecting openjdk-jre package, versions [1.7.0, 1.7.0_231) || [1.8.0, 1.8.0_221) || [11.0.0, 11.0.5) || [13.0.0, 13.0.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to NULL pointer dereference via the DrawGlyphList class in the 2D component in OpenJDK. A specially crafted font file could use this flaw to cause a Java application to crash.

Remediation

Upgrade openjdk-jre to version 7.0.231, 8.0.221, 11.0.5, 13.0.1 or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R
Credit
Unknown
CVE
CVE-2019-2962
CWE
CWE-476
Snyk ID
SNYK-UPSTREAM-OPENJDKJRE-473431
Disclosed
16 Oct, 2019
Published
16 Oct, 2019