CVE-2022-21282 – OpenJDK: Insufficient URI checks in the XSLT TransformerImpl (JAXP, 8270492)
https://notcve.org/view.php?id=CVE-2022-21282
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21282 https://bugzilla.redhat.com/show_bug.cgi?id=2041435 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVE-2022-21277 – OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor (ImageIO, 8270952)
https://notcve.org/view.php?id=CVE-2022-21277
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 https://www.debian.org/security/2022/dsa-5057 https://www.debian.org/security/2022/dsa-5058 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2022-21277 https://bugzilla.redhat.com/show_bug.cgi?id=2041479 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-21248 – OpenJDK: Incomplete deserialization class filtering in ObjectInputStream (Serialization, 8264934)
https://notcve.org/view.php?id=CVE-2022-21248
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • https://lists.debian.org/debian-lts-announce/2022/02/msg00011.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DIN3L6L3SVZK75CKW2GPSU4HIGZR7XG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4J2N4FNXW6JKJBWUZH6SNI2UHCZXQXCY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPIWQ6DL5IPOT54UBWTISG5T24FQJ7MN https://security.gentoo.org/glsa/202209-05 https://security.netapp.com/advisory/ntap-20220121-0007 h • CWE-502: Deserialization of Untrusted Data •
CVE-2020-14803 – OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136)
https://notcve.org/view.php?id=CVE-2020-14803
Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html https://security.gentoo.org/glsa/202101-19 https://security.netapp.com/advisory/ntap-20201023-0004 https://www.debian.org/security/2020/dsa-4779 https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpuoct2020.html https://access.redhat.com/security/cve/CVE-2020-14803 https://bugzilla.redhat.com/show_bug& • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2020-2830 – OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
https://notcve.org/view.php?id=CVE-2020-2830
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html https://kc.mcafee.com/corporate/index?page=content&id=SB10318 https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ https://lists.fedoraproject.org/archives& • CWE-400: Uncontrolled Resource Consumption •