CVE-2020-14803
OpenJDK: Race condition in NIO Buffer boundary checks (Libraries, 8244136)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Vulnerabilidad en el producto Java SE de Oracle Java SE (componente: Libraries). Las versiones compatibles que están afectadas son Java SE: 11.0.8 y 15. Una vulnerabilidad explotable fácilmente permite a un atacante no autenticado con acceso a la red por medio de múltiples protocolos comprometer a Java SE. Los ataques con éxito de esta vulnerabilidad pueden resultar en un acceso de lectura no autorizado a un subconjunto de datos accesibles de Java SE. Nota: Esta vulnerabilidad Aplica a las implementaciones de Java, normalmente en clientes que ejecutan aplicaciones Java Web Start en sandbox o applets de Java en sandbox, que cargan y ejecutan código que no es de confianza (por ejemplo, código que proviene de Internet) y confían en el sandbox de Java para su seguridad. Esta vulnerabilidad no aplica a las implementaciones de Java, típicamente en servidores, que cargan y ejecutan solo código confiable (por ejemplo, código instalado por un administrador). CVSS 3.1 Puntuación Base 5. 3 (Impactos de la Confidencialidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2020-06-19 CVE Reserved
- 2020-10-21 CVE Published
- 2024-09-26 CVE Updated
- 2024-09-27 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2020/10/msg00031.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20201023-0004 | Third Party Advisory |
|
| https://www.oracle.com/security-alerts/cpujan2021.html | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpuoct2020.html | 2021-02-24 |
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html | 2021-02-24 | |
| https://security.gentoo.org/glsa/202101-19 | 2021-02-24 | |
| https://www.debian.org/security/2020/dsa-4779 | 2021-02-24 | |
| https://access.redhat.com/security/cve/CVE-2020-14803 | 2021-03-04 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1889895 | 2021-03-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 19.3.3 Search vendor "Oracle" for product "Graalvm" and version "19.3.3" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 19.3.4 Search vendor "Oracle" for product "Graalvm" and version "19.3.4" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 20.2.0 Search vendor "Oracle" for product "Graalvm" and version "20.2.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 20.3.0 Search vendor "Oracle" for product "Graalvm" and version "20.3.0" | enterprise |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 7.0 Search vendor "Oracle" for product "Jdk" and version "7.0" | update_281 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 8.0 Search vendor "Oracle" for product "Jdk" and version "8.0" | update_271 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 11.0.8 Search vendor "Oracle" for product "Jdk" and version "11.0.8" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jdk Search vendor "Oracle" for product "Jdk" | 15.0 Search vendor "Oracle" for product "Jdk" and version "15.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 7.0 Search vendor "Oracle" for product "Jre" and version "7.0" | update_281 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 8.0 Search vendor "Oracle" for product "Jre" and version "8.0" | update_271 |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 11.0.8 Search vendor "Oracle" for product "Jre" and version "11.0.8" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Jre Search vendor "Oracle" for product "Jre" | 15.0 Search vendor "Oracle" for product "Jre" and version "15.0" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | 7-mode Transition Tool Search vendor "Netapp" for product "7-mode Transition Tool" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 7.3 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 7.3" | windows |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager" | >= 9.5 Search vendor "Netapp" for product "Active Iq Unified Manager" and version " >= 9.5" | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Santricity Os Controller Search vendor "Netapp" for product "E-series Santricity Os Controller" | >= 11.0.0 <= 11.60.1 Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0.0 <= 11.60.1" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Santricity Storage Manager Search vendor "Netapp" for product "E-series Santricity Storage Manager" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Santricity Web Services Proxy Search vendor "Netapp" for product "E-series Santricity Web Services Proxy" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Hci Management Node Search vendor "Netapp" for product "Hci Management Node" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Insight Search vendor "Netapp" for product "Oncommand Insight" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Oncommand Unified Manager Search vendor "Netapp" for product "Oncommand Unified Manager" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Santricity Cloud Connector Search vendor "Netapp" for product "Santricity Cloud Connector" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Santricity Unified Manager Search vendor "Netapp" for product "Santricity Unified Manager" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | oracle |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapmanager Search vendor "Netapp" for product "Snapmanager" | - | sap |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Solidfire Search vendor "Netapp" for product "Solidfire" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Hci Storage Node Search vendor "Netapp" for product "Hci Storage Node" | - | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.2 Search vendor "Opensuse" for product "Leap" and version "15.2" | - |
Affected
| ||||||