CVE-2020-2601

Name of the Vulnerable Software and Affected Versions Java SE versions 7u241, 8u231, 11.0.5, and 13.0.1 Java SE Embedded version 8u231

Description The issue is related to inadequate access control in the Security component of Java SE and Java SE Embedded, allowing an unauthenticated attacker with network access via Kerberos to compromise Java SE or Java SE Embedded. This can result in unauthorized access to critical data or complete access to all Java SE and Java SE Embedded accessible data. The vulnerability can be exploited through APIs in the specified component, for example, through a web service that supplies data to the APIs. It affects Java deployments that load and run untrusted code, relying on the Java sandbox for security, such as clients running sandboxed Java Web Start applications or sandboxed Java applets.

Recommendations For Java SE versions 7u241, 8u231, 11.0.5, and 13.0.1, consider disabling the use of Kerberos protocol until a patch is available. For Java SE Embedded version 8u231, restrict access to the Security component to minimize the risk of exploitation. As a temporary workaround, consider disabling the use of APIs in the Security component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.