CVE-2022-21426

CWE-770 — Allocation without Limits15 documents8 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 80.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netapp E-series Santricity OS Controller Oracle Corporation Java SE JDK AND JRE Azul Zulu +4 more

Timeline

PublishedApr 19

Latest updateAug 4

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages10 packages

▶CVEListV5oracle_corporation/java_se_jdk_and_jre8 versions+7

▶NVDoracle/graalvm20.3.5, 21.3.1, 22.0.0.2+2

▶NVDoracle/jdk5 versions+4

▶NVDoracle/jre5 versions+4

▶Debianopenjdk-11< 11.0.15+10-1~deb11u1

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

openjdk-8 vulnerabilities↗2022-08-04

▶

OSV

openjdk-8, openjdk-lts, openjdk-17, openjdk-18 vulnerabilities↗2022-08-04

▶

OSV

openjdk-17 vulnerabilities↗2022-04-26

▶

OSV

openjdk-lts vulnerabilities↗2022-04-26

▶

GHSA

GHSA-3g8v-2w9j-wwcx: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP)↗2022-04-20

▶

📋Vendor Advisories

Ubuntu

OpenJDK 8 vulnerabilities↗2022-08-04

▶

Ubuntu

OpenJDK vulnerabilities↗2022-08-04

▶

Ubuntu

OpenJDK vulnerabilities↗2022-04-26

▶

Ubuntu

OpenJDK vulnerabilities↗2022-04-26

▶

Red Hat

OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)↗2022-04-19

▶