CVE-2022-21277

CWE-770Allocation without Limits10 documents8 sources
Severity
5.3MEDIUM
EPSS
0.9%
top 24.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Netapp E-series Santricity OS ControllerOracle OpenjdkOracle Corporation Java SE JDK AND JRE+4 more
Timeline
PublishedJan 19
Latest updateMar 29

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to c

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages10 packages

NVDoracle/graalvm20.3.4, 21.3.0+1
NVDoracle/openjdk1111.0.13+4
NVDoracle/jdk11.0.13, 17.0.1+1
NVDoracle/jre11.0.13, 17.0.1+1

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

5
OSV
openjdk-lts regression2022-03-29
OSV
openjdk-lts, openjdk-17 vulnerabilities2022-03-07
GHSA
GHSA-fh88-rxj8-f46q: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO)2022-01-20
OSV
CVE-2022-21277: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO)2022-01-19
CVEList
CVE-2022-21277: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO)2022-01-19

📋Vendor Advisories

4
Ubuntu
OpenJDK vulnerabilities2022-03-07
Red Hat
OpenJDK: Incorrect reading of TIFF files in TIFFNullDecompressor (ImageIO, 8270952)2022-01-18
Oracle
Oracle Oracle Java SE Risk Matrix: ImageIO — CVE-2022-212772022-01-15
Debian
CVE-2022-21277: openjdk-11 - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product o...2022
CVE-2022-21277 (MEDIUM CVSS 5.3) | Vulnerability in the Oracle Java SE | cvebase.io