CVE-2019-17639
moderate-risk
Published 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This allows whatever value happens to be in the return register at that time to be used as if it matches the method's declared return type.
Do I need to act?
-
0.63% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Vendors
References (2)
Vendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=563998
Vendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=563998
33
/ 100
moderate-risk
Severity
21/34 · High
Exploitability
2/34 · Minimal
Exposure
10/34 · Low