CVE-2020-14797 – OpenJDK: Incomplete check for invalid characters in URI to path conversion (Libraries, 8242685)
https://notcve.org/view.php?id=CVE-2020-14797
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html https://security.gentoo.org/glsa/202101-19 https://security.netapp.com/advisory/ntap-20201023-0004 https://www.debian.org/security/2020/dsa-4779 https://www.oracle.com/security-alerts/cpuoct2020.html https://access.redhat.com/security/cve/CVE-2020-14797 https://bugzilla.redhat.com/show_bug.cgi?id=1889717 • CWE-20: Improper Input Validation •
CVE-2020-14792 – OpenJDK: Integer overflow leading to out-of-bounds access (Hotspot, 8241114)
https://notcve.org/view.php?id=CVE-2020-14792
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html https://security.gentoo.org/glsa/202101-19 https://security.netapp.com/advisory/ntap-20201023-0004 https://www.debian.org/security/2020/dsa-4779 https://www.oracle.com/security-alerts/cpuoct2020.html https://access.redhat.com/security/cve/CVE-2020-14792 https://bugzilla.redhat.com/show_bug.cgi?id=1889280 • CWE-190: Integer Overflow or Wraparound •
CVE-2020-14779 – OpenJDK: High memory usage during deserialization of Proxy class with many interfaces (Serialization, 8236862)
https://notcve.org/view.php?id=CVE-2020-14779
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6CJCO52DHIQJHLPF6HMTC5Z2VKFRQMY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OMJMTXFJRONFT72YAEQNRFKYZZU4W3HD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XKRGVMZT3EUUWKUA6DBT56FT3UOKPHQ2 https://lists.fedoraproject.or • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2020-14664 – Oracle Java Runtime Environment HTML Rendering Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-14664
Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX). The supported version that is affected is Java SE: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE. • https://security.gentoo.org/glsa/202209-15 https://security.netapp.com/advisory/ntap-20200717-0005 https://www.oracle.com/security-alerts/cpujul2020.html https://www.zerodayinitiative.com/advisories/ZDI-20-897 •
CVE-2020-14621 – OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
https://notcve.org/view.php?id=CVE-2020-14621
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html https://kc.mcafee.com/corporate/index?page=content&id=SB10332 https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103%40%3Cj-users.xerces.apache.org%3E https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html https://lists.fedoraproject.org/archives& • CWE-20: Improper Input Validation •