CVE-2019-11772

CWE-787 — Out-of-bounds Write CWE-119 — Buffer Overflow5 documents5 sources

Severity

9.8CRITICAL

EPSS

0.9%

top 24.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Openj9 Eclipse Openj9

Timeline

PublishedJul 17

Latest updateMay 24

Description

In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDeclipse/openj9< 0.15.0

▶CVEListV5the_eclipse_foundation/eclipse_openj9unspecified — 0.15.0

🔴Vulnerability Details

GHSA

GHSA-pm38-595m-8jp2: In Eclipse OpenJ9 prior to 0↗2022-05-24

▶

CVEList

CVE-2019-11772: In Eclipse OpenJ9 prior to 0↗2019-07-17

▶

📋Vendor Advisories

Red Hat

JDK: Out-of-bounds access in the String.getBytes method↗2019-08-01

▶

💬Community

Bugzilla

CVE-2019-11772 IBM JDK: Out-of-bounds access in the String.getBytes method↗2019-08-07

▶