CVE-2019-17639

CWE-843CWE-200 โ€” Information Exposure5 documents5 sources
Severity
5.3MEDIUM
EPSS
0.6%
top 29.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
THE Eclipse Foundation Eclipse Openj9Eclipse Openj9
Timeline
PublishedJul 15
Latest updateMay 24

Description

In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This allows whatever value happens to be in the return register at that time to be used as if it matches the method's declared return type.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

โ–ถNVDeclipse/openj90.20.0+1

๐Ÿ”ดVulnerability Details

2
GHSA
GHSA-rm33-h23j-qcgg: In Eclipse OpenJ9 prior to version 0โ†—2022-05-24
โ–ถ
CVEList
CVE-2019-17639: In Eclipse OpenJ9 prior to version 0โ†—2020-07-15
โ–ถ

๐Ÿ“‹Vendor Advisories

1
Red Hat
JDK: Information disclosure via calls to System.arraycopy() with invalid lengthโ†—2020-08-05
โ–ถ

๐Ÿ’ฌCommunity

1
Bugzilla
CVE-2019-17639 IBM JDK: Information disclosure via calls to System.arraycopy() with invalid lengthโ†—2020-08-05
โ–ถ
CVE-2019-17639 (MEDIUM CVSS 5.3) | In Eclipse OpenJ9 prior to version | cvebase.io