usn-5313-1
Vulnerability from osv_ubuntu
It was discovered that OpenJDK incorrectly handled deserialization filters. An attacker could possibly use this issue to insert, delete or obtain sensitive information. (CVE-2022-21248)
It was discovered that OpenJDK incorrectly read uncompressed TIFF files. An attacker could possibly use this issue to cause a denial of service via a specially crafted TIFF file. (CVE-2022-21277)
Jonni Passki discovered that OpenJDK incorrectly verified access restrictions when performing URI resolution. An attacker could possibly use this issue to obtain sensitive information. (CVE-2022-21282)
It was discovered that OpenJDK incorrectly handled certain regular expressions in the Pattern class implementation. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-21283)
It was discovered that OpenJDK incorrectly handled specially crafted Java class files. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-21291)
Markus Loewe discovered that OpenJDK incorrectly validated attributes during object deserialization. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-21293, CVE-2022-21294)
Dan Rabe discovered that OpenJDK incorrectly verified access permissions in the JAXP component. An attacker could possibly use this to specially craft an XML file to obtain sensitive information. (CVE-2022-21296)
It was discovered that OpenJDK incorrectly handled XML entities. An attacker could use this to specially craft an XML file that, when parsed, would possibly cause a denial of service. (CVE-2022-21299)
Zhiqiang Zang discovered that OpenJDK incorrectly handled array indexes. An attacker could possibly use this issue to obtain sensitive information. (CVE-2022-21305)
It was discovered that OpenJDK incorrectly read very long attributes values in JAR file manifests. An attacker could possibly use this to specially craft JAR file to cause a denial of service. (CVE-2022-21340)
It was discovered that OpenJDK incorrectly validated input from serialized streams. An attacker cold possibly use this issue to bypass sandbox restrictions. (CVE-2022-21341)
Fabian Meumertzheim discovered that OpenJDK incorrectly handled certain specially crafted BMP or TIFF files. An attacker could possibly use this to cause a denial of service. (CVE-2022-21360, CVE-2022-21366)
It was discovered that an integer overflow could be triggered in OpenJDK BMPImageReader class implementation. An attacker could possibly use this to specially craft a BMP file to cause a denial of service. (CVE-2022-21365)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-21248",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21277",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21282",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21283",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21291",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21293",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21294",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21296",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21299",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21305",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21340",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21341",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21360",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21365",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21366",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "openjdk-17-demo",
"binary_version": "17.0.2+8-1~18.04"
},
{
"binary_name": "openjdk-17-jdk",
"binary_version": "17.0.2+8-1~18.04"
},
{
"binary_name": "openjdk-17-jdk-headless",
"binary_version": "17.0.2+8-1~18.04"
},
{
"binary_name": "openjdk-17-jre",
"binary_version": "17.0.2+8-1~18.04"
},
{
"binary_name": "openjdk-17-jre-headless",
"binary_version": "17.0.2+8-1~18.04"
},
{
"binary_name": "openjdk-17-jre-zero",
"binary_version": "17.0.2+8-1~18.04"
},
{
"binary_name": "openjdk-17-source",
"binary_version": "17.0.2+8-1~18.04"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "openjdk-17",
"purl": "pkg:deb/ubuntu/openjdk-17@17.0.2+8-1~18.04?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "17.0.2+8-1~18.04"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"17+35-1~18.04",
"17.0.1+12-1~18.04"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-21248",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21277",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21282",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21283",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21291",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21293",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21294",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21296",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21299",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21305",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21340",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21341",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21360",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21365",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21366",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "openjdk-11-demo",
"binary_version": "11.0.14+9-0ubuntu2~18.04"
},
{
"binary_name": "openjdk-11-jdk",
"binary_version": "11.0.14+9-0ubuntu2~18.04"
},
{
"binary_name": "openjdk-11-jdk-headless",
"binary_version": "11.0.14+9-0ubuntu2~18.04"
},
{
"binary_name": "openjdk-11-jre",
"binary_version": "11.0.14+9-0ubuntu2~18.04"
},
{
"binary_name": "openjdk-11-jre-headless",
"binary_version": "11.0.14+9-0ubuntu2~18.04"
},
{
"binary_name": "openjdk-11-jre-zero",
"binary_version": "11.0.14+9-0ubuntu2~18.04"
},
{
"binary_name": "openjdk-11-source",
"binary_version": "11.0.14+9-0ubuntu2~18.04"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "openjdk-lts",
"purl": "pkg:deb/ubuntu/openjdk-lts@11.0.14+9-0ubuntu2~18.04?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0.14+9-0ubuntu2~18.04"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"9.0.4+12-2ubuntu4",
"9.0.4+12-4ubuntu1",
"10~46-4ubuntu1",
"10~46-5ubuntu1",
"10.0.1+10-1ubuntu2",
"10.0.1+10-3ubuntu1",
"10.0.2+13-1ubuntu0.18.04.1",
"10.0.2+13-1ubuntu0.18.04.2",
"10.0.2+13-1ubuntu0.18.04.3",
"10.0.2+13-1ubuntu0.18.04.4",
"11.0.2+9-3ubuntu1~18.04.3",
"11.0.3+7-1ubuntu2~18.04.1",
"11.0.4+11-1ubuntu2~18.04.3",
"11.0.5+10-0ubuntu1.1~18.04",
"11.0.6+10-1ubuntu1~18.04.1",
"11.0.7+10-2ubuntu2~18.04",
"11.0.8+10-0ubuntu1~18.04.1",
"11.0.9+11-0ubuntu1~18.04.1",
"11.0.9.1+1-0ubuntu1~18.04",
"11.0.10+9-0ubuntu1~18.04",
"11.0.11+9-0ubuntu2~18.04",
"11.0.13+8-0ubuntu1~18.04"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-21248",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21277",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21282",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21283",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21291",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21293",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21294",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21296",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21299",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21305",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21340",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21341",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21360",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21365",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21366",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "openjdk-17-demo",
"binary_version": "17.0.2+8-1~20.04"
},
{
"binary_name": "openjdk-17-jdk",
"binary_version": "17.0.2+8-1~20.04"
},
{
"binary_name": "openjdk-17-jdk-headless",
"binary_version": "17.0.2+8-1~20.04"
},
{
"binary_name": "openjdk-17-jre",
"binary_version": "17.0.2+8-1~20.04"
},
{
"binary_name": "openjdk-17-jre-headless",
"binary_version": "17.0.2+8-1~20.04"
},
{
"binary_name": "openjdk-17-jre-zero",
"binary_version": "17.0.2+8-1~20.04"
},
{
"binary_name": "openjdk-17-source",
"binary_version": "17.0.2+8-1~20.04"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "openjdk-17",
"purl": "pkg:deb/ubuntu/openjdk-17@17.0.2+8-1~20.04?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "17.0.2+8-1~20.04"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"17+35-1~20.04",
"17.0.1+12-1~20.04"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-21248",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21277",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21282",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21283",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21291",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21293",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21294",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21296",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21299",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21305",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21340",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21341",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21360",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21365",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-21366",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "openjdk-11-demo",
"binary_version": "11.0.14+9-0ubuntu2~20.04"
},
{
"binary_name": "openjdk-11-jdk",
"binary_version": "11.0.14+9-0ubuntu2~20.04"
},
{
"binary_name": "openjdk-11-jdk-headless",
"binary_version": "11.0.14+9-0ubuntu2~20.04"
},
{
"binary_name": "openjdk-11-jre",
"binary_version": "11.0.14+9-0ubuntu2~20.04"
},
{
"binary_name": "openjdk-11-jre-headless",
"binary_version": "11.0.14+9-0ubuntu2~20.04"
},
{
"binary_name": "openjdk-11-jre-zero",
"binary_version": "11.0.14+9-0ubuntu2~20.04"
},
{
"binary_name": "openjdk-11-source",
"binary_version": "11.0.14+9-0ubuntu2~20.04"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "openjdk-lts",
"purl": "pkg:deb/ubuntu/openjdk-lts@11.0.14+9-0ubuntu2~20.04?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0.14+9-0ubuntu2~20.04"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"11.0.5+10-0ubuntu1",
"11.0.5+10-2ubuntu1",
"11.0.6+10-1ubuntu1",
"11.0.6+10-2ubuntu2",
"11.0.7+9-1ubuntu1",
"11.0.7+10-2ubuntu1",
"11.0.7+10-3ubuntu1",
"11.0.8+10-0ubuntu1~20.04",
"11.0.9+11-0ubuntu1~20.04",
"11.0.9.1+1-0ubuntu1~20.04",
"11.0.10+9-0ubuntu1~20.04",
"11.0.11+9-0ubuntu2~20.04",
"11.0.13+8-0ubuntu1~20.04"
]
}
],
"aliases": [],
"details": "It was discovered that OpenJDK incorrectly handled deserialization filters.\nAn attacker could possibly use this issue to insert, delete or obtain\nsensitive information. (CVE-2022-21248)\n\nIt was discovered that OpenJDK incorrectly read uncompressed TIFF files.\nAn attacker could possibly use this issue to cause a denial of service via\na specially crafted TIFF file. (CVE-2022-21277)\n\nJonni Passki discovered that OpenJDK incorrectly verified access\nrestrictions when performing URI resolution. An attacker could possibly\nuse this issue to obtain sensitive information. (CVE-2022-21282)\n\nIt was discovered that OpenJDK incorrectly handled certain regular\nexpressions in the Pattern class implementation. An attacker could\npossibly use this issue to cause a denial of service. (CVE-2022-21283)\n\nIt was discovered that OpenJDK incorrectly handled specially crafted Java\nclass files. An attacker could possibly use this issue to cause a denial\nof service. (CVE-2022-21291)\n\nMarkus Loewe discovered that OpenJDK incorrectly validated attributes\nduring object deserialization. An attacker could possibly use this issue\nto cause a denial of service. (CVE-2022-21293, CVE-2022-21294)\n\nDan Rabe discovered that OpenJDK incorrectly verified access permissions\nin the JAXP component. An attacker could possibly use this to specially\ncraft an XML file to obtain sensitive information. (CVE-2022-21296)\n\nIt was discovered that OpenJDK incorrectly handled XML entities. An\nattacker could use this to specially craft an XML file that, when parsed,\nwould possibly cause a denial of service. (CVE-2022-21299)\n\nZhiqiang Zang discovered that OpenJDK incorrectly handled array indexes.\nAn attacker could possibly use this issue to obtain sensitive information.\n(CVE-2022-21305)\n\nIt was discovered that OpenJDK incorrectly read very long attributes\nvalues in JAR file manifests. An attacker could possibly use this to\nspecially craft JAR file to cause a denial of service. (CVE-2022-21340)\n\nIt was discovered that OpenJDK incorrectly validated input from serialized\nstreams. An attacker cold possibly use this issue to bypass sandbox\nrestrictions. (CVE-2022-21341)\n\nFabian Meumertzheim discovered that OpenJDK incorrectly handled certain\nspecially crafted BMP or TIFF files. An attacker could possibly use this\nto cause a denial of service. (CVE-2022-21360, CVE-2022-21366)\n\nIt was discovered that an integer overflow could be triggered in OpenJDK\nBMPImageReader class implementation. An attacker could possibly use this\nto specially craft a BMP file to cause a denial of service.\n(CVE-2022-21365)\n",
"id": "USN-5313-1",
"modified": "2026-04-27T14:11:27Z",
"published": "2022-03-07T11:29:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-5313-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21248"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21277"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21282"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21283"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21291"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21293"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21294"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21296"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21299"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21305"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21340"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21341"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21360"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21365"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-21366"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "openjdk-lts, openjdk-17 vulnerabilities",
"upstream": [
"UBUNTU-CVE-2022-21248",
"UBUNTU-CVE-2022-21277",
"UBUNTU-CVE-2022-21282",
"UBUNTU-CVE-2022-21283",
"UBUNTU-CVE-2022-21291",
"UBUNTU-CVE-2022-21293",
"UBUNTU-CVE-2022-21294",
"UBUNTU-CVE-2022-21296",
"UBUNTU-CVE-2022-21299",
"UBUNTU-CVE-2022-21305",
"UBUNTU-CVE-2022-21340",
"UBUNTU-CVE-2022-21341",
"UBUNTU-CVE-2022-21360",
"UBUNTU-CVE-2022-21365",
"UBUNTU-CVE-2022-21366"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.