CVE-2020-14803 – OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136)
https://notcve.org/view.php?id=CVE-2020-14803
Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html https://security.gentoo.org/glsa/202101-19 https://security.netapp.com/advisory/ntap-20201023-0004 https://www.debian.org/security/2020/dsa-4779 https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpuoct2020.html https://access.redhat.com/security/cve/CVE-2020-14803 https://bugzilla.redhat.com/show_bug& • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2020-14718
https://notcve.org/view.php?id=CVE-2020-14718
Vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle GraalVM (component: JVMCI). Supported versions that are affected are 19.3.2 and 20.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle GraalVM Enterprise Edition. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). • https://www.oracle.com/security-alerts/cpujul2020.html •
CVE-2020-8172 – nodejs: TLS session reuse can lead to hostname verification bypass
https://notcve.org/view.php?id=CVE-2020-8172
TLS session reuse can lead to host certificate verification bypass in node version < 12.18.0 and < 14.4.0. La reutilización de una sesión TLS puede conllevar a una omisión de la verificación del certificado del host en node versión anterior a 12.18.0 y anterior a 14.4.0 A TLS Hostname verification bypass vulnerability exists in NodeJS. This flaw allows an attacker to bypass TLS Hostname verification when a TLS client reuses HTTPS sessions. • https://hackerone.com/reports/811502 https://nodejs.org/en/blog/vulnerability/june-2020-security-releases https://security.gentoo.org/glsa/202101-07 https://security.netapp.com/advisory/ntap-20200625-0002 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://ac • CWE-285: Improper Authorization CWE-295: Improper Certificate Validation •
CVE-2020-11080 – Denial of service in nghttp2
https://notcve.org/view.php?id=CVE-2020-11080
In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. • http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090 https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394 https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject& • CWE-400: Uncontrolled Resource Consumption CWE-707: Improper Neutralization CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2020-2900
https://notcve.org/view.php?id=CVE-2020-2900
Vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle GraalVM (component: Tools). Supported versions that are affected are 19.3.1 and 20.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle GraalVM Enterprise Edition accessible data. • https://www.oracle.com/security-alerts/cpuapr2020.html •