CVE-2020-2778
Publication date 15 April 2020
Last updated 25 August 2025
Ubuntu priority
Description
Vulnerability in the Java SE product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 11.0.6 and 14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| openjdk-14 | 20.04 LTS focal | Not in release |
| 18.04 LTS bionic | Not in release | |
| openjdk-8 | 20.04 LTS focal |
Not affected
|
| 18.04 LTS bionic |
Not affected
|
|
| openjdk-lts | 20.04 LTS focal |
Fixed 11.0.7+10-2ubuntu1
|
| 18.04 LTS bionic |
Fixed 11.0.7+10-2ubuntu2~18.04
|
|
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
3.7 · Low
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-4337-1
- OpenJDK vulnerabilities
- 22 April 2020