CVE-2020-2800

Name of the Vulnerable Software and Affected Versions Java SE versions 7u251, 8u241, 11.0.6, and 14 Java SE Embedded version 8u241

Description The issue is related to insufficient input validation in the Lightweight HTTP Server component of Oracle Java SE and Java SE Embedded. This can be exploited by a remote attacker to gain unauthorized access to modify, add, or delete data, or to access protected information. The vulnerability can only be exploited by supplying data to APIs in the specified component without using untrusted Java Web Start applications or untrusted Java applets. Successful attacks can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of accessible data.

Recommendations For Java SE versions 7u251, 8u241, 11.0.6, and 14, consider disabling access to the Lightweight HTTP Server component until a patch is available. For Java SE Embedded version 8u241, restrict access to the vulnerable component to minimize the risk of exploitation. As a temporary workaround, avoid using APIs in the specified component without proper validation and sanitization of input data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.