CVE Daily
← All tags

Tag: Oracle JDK

All CVEs associated with "Oracle JDK". Page 19/43 • 5132 CVEs.

Subscribe CVEs: RSS for “Oracle JDK”  ·  RSS (High+Critical only)

About “Oracle JDK”

A curated feed of “Oracle JDK”-related CVEs appears below. We currently track 5132 CVEs for this tag (all time). In the last 365 days, 782 were published. Average CVSS is 6.7 (all time; 6.3 over 365d), and 48% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

In our taxonomy this topic maps to a MODERATE impact class. JDK and JVM updates affect TLS, serialization, and performance. Upgrade JDK or JRE, restart dependents, avoid unsupported builds, and consider key or cert rotation if needed. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2021-12-22
Medium

CVE-2020-20597

A cross-site scripting (XSS) vulnerability in the potrtalItemName parameter in \web\PortalController.java of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2021-12-15
High

CVE-2021-1040

In onCreate of BluetoothPairingSelectionFragment.java, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privil…

CVSS: 7.8 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
Low

CVE-2021-1034

In getLine1NumberForDisplay of PhoneInterfaceManager.java, there is apossible way to determine whether an app is installed, without querypermissions due to a missing permission check. This could lead…

CVSS: 3.3 CWE: CWE-862 - Missing Authorization View on NVD
Low

CVE-2021-1032

In getMimeGroup of PackageManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead…

CVSS: 3.3 CWE: CWE-203 - Observable Discrepancy View on NVD
Low

CVE-2021-1031

In cancelNotificationsFromListener of NotificationManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information dis…

CVSS: 3.3 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2021-1030

In setNotificationsShownFromListener of NotificationManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information d…

CVSS: 5.5 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2021-1026

In startRanging of RttServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to loc…

CVSS: 5.5 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2021-1025

In hasNamedWallpaper of WallpaperManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead t…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-1024

In onEventReceived of EventResultPersister.java, there is a possible intent redirection due to a confused deputy. This could lead to local escalation of privilege with System execution privileges nee…

CVSS: 6.7 CWE: N/A View on NVD
Medium

CVE-2021-1023

In onCreate of RequestIgnoreBatteryOptimizations.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This co…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2021-1021

In snoozeNotificationInt of NotificationManagerService.java, there is a possible way to disable notification for an arbitrary user due to improper input validation. This could lead to local escalatio…

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-1020

In snoozeNotification of NotificationListenerService.java, there is a possible way to disable notification for an arbitrary user due to improper input validation. This could lead to local escalation…

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-1019

In snoozeNotification of NotificationListenerService.java, there is a possible permission confusion due to a misleading user consent dialog. This could lead to local escalation of privilege with User…

CVSS: 7.3 CWE: N/A View on NVD
Low

CVE-2021-1018

In adjustStreamVolume of AudioService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to…

CVSS: 3.3 CWE: CWE-203 - Observable Discrepancy View on NVD
High

CVE-2021-1016

In onCreate of UsbPermissionActivity.java, there is a possible way to grant an app access to USB without informed user consent due to a tapjacking/overlay attack. This could lead to local escalation…

CVSS: 7.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
Low

CVE-2021-1015

In getMeidForSlot of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could le…

CVSS: 3.3 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2021-1014

In getNetworkTypeForSubscriber of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.…

CVSS: 5.5 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2021-1013

In checkExistsAndEnforceCannotModifyImmutablyRestrictedPermission of PermissionManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to…

CVSS: 5.5 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2021-1012

In onResume of NotificationAccessDetails.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead…

CVSS: 5.5 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2021-1011

In setPackageStoppedState of PackageManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User inte…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-1010

In getSigningKeySet of PackageManagerService.java, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interactio…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-1009

In setApplicationCategoryHint of PackageManagerService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. T…

CVSS: 5.5 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2021-1008

In addSubInfo of SubscriptionController.java, there is a possible way to force the user to make a factory reset due to a logic error in the code. This could lead to local denial of service with Syste…

CVSS: 4.4 CWE: N/A View on NVD
Medium

CVE-2021-1006

In several functions of DatabaseManager.java, there is a possible leak of Bluetooth MAC addresses due to log information disclosure. This could lead to local information disclosure with System execut…

CVSS: 4.4 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
Medium

CVE-2021-1005

In getDeviceIdWithFeature of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This…

CVSS: 5.5 CWE: CWE-203 - Observable Discrepancy View on NVD
High

CVE-2021-1004

In getConfiguredNetworks of WifiServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could lead to lo…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-1003

In adjustStreamVolume of AudioService.java, there is a possible way for unprivileged app to change audio stream volume due to a confused deputy. This could lead to local escalation of privilege with…

CVSS: 7.8 CWE: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere View on NVD
Medium

CVE-2021-0997

In handleUpdateNetworkState of GnssNetworkConnectivityHandler.java , there is a possible APN disclosure due to log information disclosure. This could lead to local information disclosure with no addi…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Low

CVE-2021-0995

In registerSuggestionConnectionStatusListener of WifiServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information dis…

CVSS: 3.3 CWE: CWE-203 - Observable Discrepancy View on NVD
Low

CVE-2021-0994

In requestRouteToHostAddress of ConnectivityService.java, there is a possible way to determine whether an app is installed, without query permissions, due to a missing permission check. This could le…

CVSS: 3.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0993

In getOffsetBeforeAfter of TextLine.java, there is a possible denial of service due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed.…

CVSS: 6.5 CWE: N/A View on NVD
Low

CVE-2021-0992

In onCreate of PaymentDefaultDialog.java, there is a possible way to change a default payment app without user consent due to tapjack overlay. This could lead to local escalation of privilege with no…

CVSS: 3.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
Low

CVE-2021-0991

In OnMetadataChangedListener of AdvancedBluetoothDetailsHeaderController.java, there is a possible leak of Bluetooth MAC addresses due to log information disclosure. This could lead to local informat…

CVSS: 2.4 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Low

CVE-2021-0990

In getDeviceId of PhoneSubInfoController.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead…

CVSS: 3.3 CWE: CWE-203 - Observable Discrepancy View on NVD
Low

CVE-2021-0989

In hasManageOngoingCallsPermission of TelecomServiceImpl.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.…

CVSS: 3.3 CWE: CWE-203 - Observable Discrepancy View on NVD
Low

CVE-2021-0988

In getLaunchedFromUid and getLaunchedFromPackage of ActivityClientController.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel inf…

CVSS: 3.3 CWE: CWE-203 - Observable Discrepancy View on NVD
Low

CVE-2021-0987

In getNeighboringCellInfo of PhoneInterfaceManager.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This…

CVSS: 3.3 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2021-0986

In hasGrantedPolicy of DevicePolicyManagerService.java, there is a possible information disclosure about the device owner, profile owner, or device admin due to a logic error in the code. This could…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0985

In onReceive of AlertReceiver.java, there is a possible way to dismiss system dialog due to a missing permission check. This could lead to local escalation of privilege with no additional execution p…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0984

In onNullBinding of ManagedServices.java, there is a possible permission bypass due to an incorrectly unbound service. This could lead to local escalation of privilege with no additional execution pr…

CVSS: 7.8 CWE: CWE-404 - Improper Resource Shutdown or Release View on NVD
Low

CVE-2021-0983

In createAdminSupportIntent of DevicePolicyManagerService.java, there is a possible disclosure of information about installed device/profile owner package name due to side channel information disclos…

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2021-0982

In getOrganizationNameForUser of DevicePolicyManagerService.java, there is a possible organization name disclosure due to a missing permission check. This could lead to local information disclosure w…

CVSS: 3.3 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0981

In enqueueNotificationInternal of NotificationManagerService.java, there is a possible way to run a foreground service without showing a notification due to improper input validation. This could lead…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0979

In isRequestPinItemSupported of ShortcutService.java, there is a possible cross-user leak of packages in which the default launcher supports requests to create pinned shortcuts due to a permissions b…

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
Low

CVE-2021-0978

In getSerialForPackage of DeviceIdentifiersPolicyService.java, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure.…

CVSS: 3.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0973

In isFileUri of UriUtil.java, there is a possible way to bypass ignoring file://URI attachment due to improper handling of case sensitivity. This could lead to local information disclosure with no ad…

CVSS: 5.0 CWE: CWE-178 - Improper Handling of Case Sensitivity View on NVD
High

CVE-2021-0970

In createFromParcel of GpsNavigationMessage.java, there is a possible Parcel serialization/deserialization mismatch. This could lead to local escalation of privilege with no additional execution priv…

CVSS: 7.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Medium

CVE-2021-0969

In getTitle of AccessPoint.java, there is a possible unhandled exception due to a missing null check. This could lead to remote denial of service if a proximal Wi-Fi AP provides invalid information w…

CVSS: 6.5 CWE: CWE-755 - Improper Handling of Exceptional Conditions View on NVD
High

CVE-2021-0963

In onCreate of KeyChainActivity.java, there is a possible way to use an app certificate stored in keychain due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no…

CVSS: 7.1 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0953

In setOnClickActivityIntent of SearchWidgetProvider.java, there is a possible way to access contacts and history bookmarks without permission due to an unsafe PendingIntent. This could lead to local…

CVSS: 7.8 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
Medium

CVE-2021-0952

In doCropPhoto of PhotoSelectionHandler.java, there is a possible permission bypass due to a confused deputy. This could lead to local information disclosure of user's contacts with no additional exe…

CVSS: 5.0 CWE: N/A View on NVD
High

CVE-2021-0933

In onCreate of CompanionDeviceActivity.java or DeviceChooserActivity.java, there is a possible way for HTML tags to interfere with a consent dialog due to improper input validation. This could lead t…

CVSS: 8.0 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-0932

In showNotification of NavigationModeController.java, there is a possible confused deputy due to an unsafe PendingIntent. This could lead to local escalation of privilege that allows actions performe…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0931

In getAlias of BluetoothDevice.java, there is a possible way to create misleading permission dialogs due to missing data filtering. This could lead to local information disclosure with User execution…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-0928

In createFromParcel of OutputConfiguration.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege w…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-0927

In requestChannelBrowsable of TvInputManagerService.java, there is a possible permission bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional e…

CVSS: 7.8 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
High

CVE-2021-0926

In onCreate of NfcImportVCardActivity.java, there is a possible way to add a contact without user's consent due to a missing permission check. This could lead to local escalation of privilege with no…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0923

In createOrUpdate of Permission.java, there is a possible way to gain internal permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execu…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0922

In enforceCrossUserOrProfilePermission of PackageManagerService.java, there is a possible bypass of INTERACT_ACROSS_PROFILES permission due to a missing permission check. This could lead to local esc…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0921

In ParsingPackageImpl of ParsingPackageImpl.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2021-0799

In ActivityThread.java, there is a possible way to collide the content provider's authorities. This could lead to local escalation of privilege with no additional execution privileges needed. User in…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2021-0769

In onCreate of AllowBindAppWidgetActivity.java, there is a possible bypass of user interaction requirements due to unclear UI. This could lead to local escalation of privilege with no additional exec…

CVSS: 7.3 CWE: N/A View on NVD
Medium

CVE-2021-0704

In createNoCredentialsPermissionNotification and related functions of AccountManagerService.java, there is a possible way to retrieve accounts from the device without permissions due to a permissions…

CVSS: 5.5 CWE: CWE-281 - Improper Preservation of Permissions View on NVD
Medium

CVE-2021-0653

In enqueueNotification of NetworkPolicyManagerService.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information disclosu…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0649

In stopVpnProfile of Vpn.java, there is a possible VPN profile reset due to a permissions bypass. This could lead to local escalation of privilege CONTROL_ALWAYS_ON_VPN with no additional execution p…

CVSS: 7.8 CWE: CWE-863 - Incorrect Authorization View on NVD
High

CVE-2021-0434

In onReceive of BluetoothPermissionRequest.java, there is a possible phishing attack allowing a malicious Bluetooth device to acquire permissions based on insufficient information presented to the us…

CVSS: 7.3 CWE: N/A View on NVD
Critical

CVE-2021-43113

iTextPDF in iText 7 and up to (excluding 4.4.13.3) 7.1.17 allows command injection via a CompareTool filename that is mishandled on the gs (aka Ghostscript) command line in GhostscriptHelper.java.

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2021-12-14
Critical

CVE-2021-45046

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC)…

CVSS: 9.0 CWE: CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') View on NVD
Critical

CVE-2021-42064

If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker…

CVSS: 9.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2021-12-13
High

CVE-2021-41272

Besu is an Ethereum client written in Java. Starting in version 21.10.0, changes in the implementation of the SHL, SHR, and SAR operations resulted in the introduction of a signed type coercion error…

CVSS: 7.5 CWE: CWE-681 - Incorrect Conversion between Numeric Types View on NVD
2021-12-08
High

CVE-2021-37941

A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a…

CVSS: 7.8 CWE: CWE-269 - Improper Privilege Management View on NVD
2021-12-02
Medium

CVE-2021-23262

Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.

CVSS: 4.2 CWE: CWE-913 - Improper Control of Dynamically-Managed Code Resources View on NVD
2021-11-23
Medium

CVE-2021-40831

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation…

CVSS: 6.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-40830

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succe…

CVSS: 6.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-40829

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not…

CVSS: 6.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2021-40828

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did no…

CVSS: 6.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2021-11-22
Medium

CVE-2021-33493

The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format.

CVSS: 6.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2021-11-17
High

CVE-2021-35528

Improper Access Control vulnerability in the application authentication and authorization of Hitachi Energy Retail Operations, Counterparty Settlement and Billing (CSB) allows an attacker to execute…

CVSS: 7.2 CWE: CWE-284 - Improper Access Control View on NVD
2021-11-15
Critical

CVE-2021-41269

cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enab…

CVSS: 10.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2021-11-09
Critical

CVE-2021-43570

The verify function in the Stark Bank Java ECDSA library (ecdsa-java) 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

CVSS: 9.8 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2021-10-28
Medium

CVE-2021-22097

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-seriali…

CVSS: 6.5 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Critical

CVE-2019-19810

Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending craf…

CVSS: 10.0 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2021-10-27
High

CVE-2021-41619

An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (availa…

CVSS: 7.2 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2021-10-22
High

CVE-2021-0708

In runDumpHeap of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional executio…

CVSS: 7.8 CWE: CWE-610 - Externally Controlled Reference to a Resource in Another Sphere View on NVD
Medium

CVE-2021-0706

In startListening of PluginManagerImpl.java, there is a possible way to disable arbitrary app components due to a missing permission check. This could lead to local denial of service with no addition…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0705

In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This co…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2021-0652

In VectorDrawable::VectorDrawable of VectorDrawable.java, there is a possible way to introduce a memory corruption due to sharing of not thread-safe objects. This could lead to local escalation of pr…

CVSS: 7.8 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Medium

CVE-2021-0651

In loadLabel of PackageItemInfo.java, there is a possible way to DoS a device by having a long label in an app due to incorrect input validation. This could lead to local denial of service with no ad…

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2021-0643

In getAllSubInfoList of SubscriptionController.java, there is a possible way to retrieve a long term identifier without the correct permissions due to a missing permission check. This could lead to l…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
2021-10-20
High

CVE-2021-35619

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 19c and 21c. Difficult to exploit vulnerability allows low privileged at…

CVSS: 7.1 CWE: N/A View on NVD
Low

CVE-2021-35603

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalV…

CVSS: 3.7 CWE: N/A View on NVD
Low

CVE-2021-35588

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u311, 8u301; Oracle GraalVM Enterpri…

CVSS: 3.1 CWE: N/A View on NVD
Medium

CVE-2021-35586

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle Gra…

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2021-35578

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM Enter…

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2021-35567

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u301, 11.0.12, 17; Oracle GraalVM…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2021-35565

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM En…

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2021-35564

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Keytool). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle Gra…

CVSS: 5.3 CWE: N/A View on NVD
Medium

CVE-2021-35561

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Utility). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle Gra…

CVSS: 5.3 CWE: N/A View on NVD
High

CVE-2021-35560

Vulnerability in the Java SE product of Oracle Java SE (component: Deployment). The supported version that is affected is Java SE: 8u301. Difficult to exploit vulnerability allows unauthenticated att…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2021-35559

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle Graal…

CVSS: 5.3 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
Medium

CVE-2021-35556

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle Graal…

CVSS: 5.3 CWE: CWE-693 - Protection Mechanism Failure View on NVD
Medium

CVE-2021-35550

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u311, 8u301, 11.0.12; Oracle GraalVM En…

CVSS: 5.9 CWE: N/A View on NVD
2021-10-18
Critical

CVE-2021-42575

The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements.

CVSS: 9.8 CWE: N/A View on NVD
2021-10-12
High

CVE-2021-33728

A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2 Update 1). The affected system allows to upload JSON objects that are deserialized to JAVA objects. Due to insecure deseriali…

CVSS: 7.2 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2021-10-11
Medium

CVE-2021-25738

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CVSS: 6.7 CWE: CWE-20 - Improper Input Validation View on NVD
2021-10-06
Medium

CVE-2021-0693

In openFile of HeapDumpProvider.java, there is a possible way to retrieve generated heap dumps from debuggable apps due to an unprotected provider. This could lead to local information disclosure wit…

CVSS: 5.5 CWE: N/A View on NVD
High

CVE-2021-0692

In sendBroadcastToInstaller of FirstScreenBroadcast.java, there is a possible activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execu…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2021-0688

In lockNow of PhoneWindowManager.java, there is a possible lock screen bypass due to a race condition. This could lead to local escalation of privilege with User execution privileges needed. User int…

CVSS: 7.0 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Medium

CVE-2021-0687

In ellipsize of Layout.java, there is a possible ANR due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is n…

CVSS: 5.0 CWE: CWE-834 - Excessive Iteration View on NVD
Medium

CVE-2021-0686

In getDefaultSmsPackage of RoleManagerService.java, there is a possible way to get information about the default sms app of a different device user due to a missing permission check. This could lead…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2021-0685

In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. This could lead to local escalation of privilege with no…

CVSS: 7.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2021-0683

In runTraceIpcStop of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional exec…

CVSS: 7.8 CWE: N/A View on NVD
Medium

CVE-2021-0682

In sendAccessibilityEvent of NotificationManagerService.java, there is a possible disclosure of notification data due to a missing permission check. This could lead to local information disclosure wi…

CVSS: 5.5 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-0644

In conditionallyRemoveIdentifiers of SubscriptionController.java, there is a possible way to retrieve a trackable identifier due to a missing permission check. This could lead to local information di…

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2021-0598

In onCreate of ConfirmConnectActivity.java, there is a possible pairing of untrusted Bluetooth devices due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User e…

CVSS: 7.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
High

CVE-2021-0595

In lockAllProfileTasks of RootWindowContainer.java, there is a possible way to access the work profile without the profile PIN, after logging in. This could lead to local escalation of privilege with…

CVSS: 7.8 CWE: CWE-287 - Improper Authentication View on NVD
2021-09-30
Critical

CVE-2021-41616

Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
Critical

CVE-2020-18685

Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of unchecked prerequisites related to TCP or UDP ports, or group or table IDs.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2020-18684

Floodlight through 1.2 has an integer overflow in checkFlow in StaticFlowEntryPusherResource.java via priority or port number.

CVSS: 9.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
Critical

CVE-2020-18683

Floodlight through 1.2 has poor input validation in checkFlow in StaticFlowEntryPusherResource.java because of undefined fields mishandling.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD