CVE-2021-28167

CWE-9093 documents3 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 59.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
THE Eclipse Foundation Eclipse Openj9Eclipse Openj9
Timeline
PublishedApr 21
Latest updateMay 24

Description

In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. This allows a user to call static methods or access static members without running the class initialization method, and may allow a user to observe uninitialized values.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

NVDeclipse/openj90.25.0
CVEListV5the_eclipse_foundation/eclipse_openj9unspecified0.25.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
GHSA
GHSA-wmhf-m2r4-mcrp: In Eclipse Openj9 to version 02022-05-24
CVEList
CVE-2021-28167: In Eclipse Openj9 to version 02021-04-21
CVE-2021-28167 (MEDIUM CVSS 6.5) | In Eclipse Openj9 to version 0.25.0 | cvebase.io