Vulnerability-Lookup - Search a vulnerability

Refine your search

Product

Sort by

Order

Sources

1 vulnerability found for JavaFX by OpenJFX Project

jvndb-2020-000047

Vulnerability from jvndb

Published

2020-07-28 15:47

Modified

2020-07-28 15:47

Severity ?

8.8 (High) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

JavaFX WebEngine does not properly restrict Java method execution

Details

JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10. Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community. JavaFX WebEngine component is capable of web content rendering, and possible to be configured to allow JavaScript code to execute Java methods. WebEngine component does not properly restrict Java methods execution(CWE-470). This vulnerability is similar to CVE-2012-6636 of Android WebView component. ICHIHARA Ryohei of DMM.com LLC reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN62161191/index.html
	No Mapping(CWE-Other)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

	OpenJFX Project	JavaFX
	Oracle Corporation	JDK

Show details on JVN DB website

JSON

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000047.html",
  "dc:date": "2020-07-28T15:47+09:00",
  "dcterms:issued": "2020-07-28T15:47+09:00",
  "dcterms:modified": "2020-07-28T15:47+09:00",
  "description": "JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10.\r\nSince OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community.\r\n\r\nJavaFX WebEngine component is capable of web content rendering, and possible to be configured to allow JavaScript code to execute Java methods.\r\nWebEngine component does not properly restrict Java methods execution(CWE-470).\r\nThis vulnerability is similar to CVE-2012-6636 of Android WebView component.\r\n\r\nICHIHARA Ryohei of DMM.com LLC reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000047.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:misc:open_jfx_project_java_fx",
      "@product": "JavaFX",
      "@vendor": "OpenJFX Project",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:oracle:jdk",
      "@product": "JDK",
      "@vendor": "Oracle Corporation",
      "@version": "2.2"
    }
  ],
  "sec:cvss": [
    {
      "@score": "6.8",
      "@severity": "Medium",
      "@type": "Base",
      "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
      "@version": "2.0"
    },
    {
      "@score": "8.8",
      "@severity": "High",
      "@type": "Base",
      "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "@version": "3.0"
    }
  ],
  "sec:identifier": "JVNDB-2020-000047",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN62161191/index.html",
      "@id": "JVN#62161191",
      "@source": "JVN"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-Other",
      "@title": "No Mapping(CWE-Other)"
    }
  ],
  "title": "JavaFX WebEngine does not properly restrict Java method execution"
}