Apache Commons BCEL <6.6.0: OOB Write Enables Arbitrary Bytecode Injection
CVE-2022-42920 Published on November 7, 2022
Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
Weakness Type
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2022-42920 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2022-42920
stack.watch emails you whenever new vulnerabilities are published in Apache Commons Bcel or Fedora Project Fedora. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Commons BCEL:- Version Apache Commons BCEL and below 6.6.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.