REDHAT-BUG-2221626: Path Traversal
First published: Mon Jul 10 2023(Updated: )
It was found that the ResponseBodyHandlers class implementation in the Networking/HTTP client component of OpenJDK failed to check for special characters embedded in file name parameters. A malicious user able to make a Java application perform an HTTP request to an attacker provided URL could use this flaw to possibly carry out a path traversal attack.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenJDK 17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2023:4170
- https://access.redhat.com/errata/RHSA-2023:4171
- https://access.redhat.com/errata/RHSA-2023:4165
- https://access.redhat.com/errata/RHSA-2023:4162
- https://access.redhat.com/errata/RHSA-2023:4164
- https://access.redhat.com/errata/RHSA-2023:4157
- https://access.redhat.com/errata/RHSA-2023:4169
- https://access.redhat.com/errata/RHSA-2023:4163
- https://access.redhat.com/errata/RHSA-2023:4161
- https://access.redhat.com/errata/RHSA-2023:4208
- https://access.redhat.com/errata/RHSA-2023:4210
- https://access.redhat.com/errata/RHSA-2023:4211
- https://access.redhat.com/errata/RHSA-2023:4177
- https://access.redhat.com/errata/RHSA-2023:4158
- https://access.redhat.com/errata/RHSA-2023:4159
- https://access.redhat.com/errata/RHSA-2023:4175
- https://access.redhat.com/errata/RHSA-2023:4233
- https://access.redhat.com/security/cve/cve-2023-22006
- https://github.com/openjdk/jdk11u/commit/bf301e2476ae6333c64c7cda8855a18198807e55
- https://github.com/openjdk/jdk17u/commit/3e56ecce998602618987ffd3b68d8468e8e939c2
- https://www.oracle.com/security-alerts/cpujul2023.html#AppendixJAVA
- https://www.oracle.com/java/technologies/javase/11-0-20-relnotes.html
- https://www.oracle.com/java/technologies/javase/17-0-8-relnotes.html
- https://www.oracle.com/java/technologies/javase/20-0-2-relnotes.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2221626
Frequently Asked Questions
What is the severity of REDHAT-BUG-2221626?
REDHAT-BUG-2221626 is classified as a moderate severity vulnerability.
How do I fix REDHAT-BUG-2221626?
To fix REDHAT-BUG-2221626, update your OpenJDK to the latest patched version as recommended by your vendor.
What impact does REDHAT-BUG-2221626 have?
REDHAT-BUG-2221626 allows a malicious user to exploit vulnerabilities in HTTP requests, potentially leading to arbitrary file access.
Which versions of OpenJDK are affected by REDHAT-BUG-2221626?
REDHAT-BUG-2221626 primarily affects OpenJDK 17.
How can I determine if my application is vulnerable to REDHAT-BUG-2221626?
You can determine vulnerability to REDHAT-BUG-2221626 by checking if your application makes HTTP requests that include user-controlled filenames.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-22006
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/openjdk 17