CVE-2022-42920

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-42920
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-11-07 13:15:00 UTC
Updated2024-01-17 15:15:00 UTC
DescriptionApache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

Risk And Classification

Problem Types: CWE-787

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apache Commons Bcel All All All All
Operating System Fedoraproject Fedora 35 All All All
Operating System Fedoraproject Fedora 36 All All All
Operating System Fedoraproject Fedora 37 All All All

References

ReferenceSourceLinkTags
[SECURITY] Fedora 37 Update: bcel-6.5.0-3.fc37 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
[SECURITY] Fedora 35 Update: bcel-6.4.1-10.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 36 Update: bcel-6.4.1-10.fc36 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
OpenJDK: Multiple Vulnerabilities (GLSA 202401-25) — Gentoo security security.gentoo.org
lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4 MISC lists.apache.org
[SECURITY] Fedora 35 Update: bcel-6.4.1-10.fc35 - package-announce - Fedora Mailing-Lists FEDORA lists.fedoraproject.org
oss-security - Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing MLIST www.openwall.com
[SECURITY] Fedora 36 Update: bcel-6.4.1-10.fc36 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
[SECURITY] Fedora 37 Update: bcel-6.5.0-3.fc37 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Reported by Felix Wilhelm (Google); GitHub pull request to Apache Commons BCEL #147 by Richard Atkins (https://github.com/rjatkins); PR derived from OpenJDK (https://github.com/openjdk/jdk11u/) commit 13bf52c8d876528a43be7cb77a1f452d29a21492 by Aleksei Voitylov and RealCLanger (Christoph Langer https://github.com/RealCLanger)

Legacy QID Mappings

  • 150735 Oracle WebLogic Server Multiple Vulnerabilities (CPU - OCT2023)
  • 160356 Oracle Enterprise Linux Security Update for bcel (ELSA-2022-8958)
  • 160366 Oracle Enterprise Linux Security Update for bcel (ELSA-2023-0005)
  • 181194 Debian Security Update for bcel (CVE-2022-42920)
  • 241005 Red Hat Update for rh-maven36-bcel (RHSA-2022:8959)
  • 241010 Red Hat Update for bcel (RHSA-2022:8958)
  • 241031 Red Hat Update for bcel (RHSA-2023:0004)
  • 241032 Red Hat Update for bcel (RHSA-2023:0005)
  • 257240 CentOS Security Update for bcel (CESA-2022:8958)
  • 283507 Fedora Security Update for bcel (FEDORA-2022-01a56f581c)
  • 283508 Fedora Security Update for bcel (FEDORA-2022-0e358addb8)
  • 283509 Fedora Security Update for bcel (FEDORA-2022-f60a52e054)
  • 354663 Amazon Linux Security Advisory for bcel : ALAS2-2023-1916
  • 354674 Amazon Linux Security Advisory for bcel : ALAS-2023-1668
  • 354702 Amazon Linux Security Advisory for bcel : ALAS2022-2023-275
  • 355196 Amazon Linux Security Advisory for bcel : ALAS2023-2023-105
  • 672579 EulerOS Security Update for bcel (EulerOS-SA-2023-1307)
  • 673088 EulerOS Security Update for bcel (EulerOS-SA-2023-2137)
  • 710843 Gentoo Linux Open Java Development Toolkit (OpenJDK) Multiple Vulnerabilities (GLSA 202401-25)
  • 752973 SUSE Enterprise Linux Security Update for bcel (SUSE-SU-2022:4331-1)
  • 752977 SUSE Enterprise Linux Security Update for bcel (SUSE-SU-2022:4306-1)
  • 87530 Oracle WebLogic Server Multiple Vulnerabilities (CPUJAN2023)
  • 87548 Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2023)
  • 940864 AlmaLinux Security Update for bcel (ALSA-2023:0005)
  • 960494 Rocky Linux Security Update for bcel (RLSA-2023:0005)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report