Community
Participate
Working Groups
project: Eclipse OpenJ9 versions: initial - 0.23 cwe: CWE-121 https://cwe.mitre.org/data/definitions/121.html A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). summary: In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are using OMR and converting from UTF-8 characters to platform encoding.
project: Eclipse OpenJ9 versions: initial - 0.23 cwe: CWE-121 https://cwe.mitre.org/data/definitions/121.html A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). summary: In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
I've assigned CVE-2020-27221. I've sent a pull request to the central authority: https://github.com/CVEProject/cvelist/pull/628
I've noticed that https://nvd.nist.gov/vuln/detail/CVE-2020-27221 indicates versions "Up to (excluding) 0.23.0" are affected. However 0.23.0 is affected as indicated by "versions: initial - 0.23". Should https://github.com/CVEProject/cvelist/pull/628/files be clarified? Is there a way to correct this?
I am not aware of the mechanism through which NIST processes the CVE data that we provide, so I'm not sure how they decided to inject the "excluding" part. My best guess is that somebody was confused and made a call without following the links back to here to ask for clarification. I'll add investigating this to my list. In the meantime, I'm thinking that our best bet is to be very precise when we describe versions, so I've updated the CVE report to indicate that the version range is "<= 0.23" and modified the text of the description to say "up to and including". https://github.com/CVEProject/cvelist/pull/880