CVE-2022-42920

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

References

Affected packages

Git / github.com/apache/commons-bcel

Affected ranges

Type

GIT

Repo

https://github.com/apache/commons-bcel

Events

Introduced

Fixed

cf520ef45064c8fa4f43717ecc789d5a4f6b0d57

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.6.0"
        }
    ]
}

Affected versions

commons-bcel-6.*

commons-bcel-6.3.1

commons-bcel-6.3.1-RC1

commons-bcel-6.4.0-RC1

commons-bcel-6.4.0-RC2

commons-bcel-6.4.1-RC1

commons-bcel-6.5.0-RC1

commons-bcel-6.6.0-RC1

rel/commons-bcel-6.*

rel/commons-bcel-6.4.0

rel/commons-bcel-6.4.1

rel/commons-bcel-6.5.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42920.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "35"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "36"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "37"
            }
        ]
    }
]