integer overflow

Affecting openjdk-jre package, versions [1.7.0, 1.7.0_231) || [1.8.0, 1.8.0_221) || [11.0.0, 11.0.5) || [13.0.0, 13.0.1)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

openjdk-jre is a free and open-source implementation of the Java Platform, Standard Edition (Java SE).

Affected versions of this package are vulnerable to integer overflow via the SunGraphics2D class in the 2D component in OpenJDK. The check of offset and length values passed to drawChars() and drawBytes() methods could be bypassed, leading to excessive memory allocation or attempt to access buffer out of bounds.

Remediation

Upgrade openjdk-jre to version 7.0.231, 8.0.221, 11.0.5, 13.0.1 or higher.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Credit
Unknown
CVE
CVE-2019-2988
CWE
CWE-190
Snyk ID
SNYK-UPSTREAM-OPENJDKJRE-473438
Disclosed
16 Oct, 2019
Published
16 Oct, 2019