{"id":"CVE-2022-42920","details":"Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.","aliases":["GHSA-97xg-phpr-rg8q"],"modified":"2026-04-02T08:22:21.315221Z","published":"2022-11-07T13:15:10.270Z","related":["ALSA-2023:0005","SUSE-SU-2022:4306-1","SUSE-SU-2022:4331-1","openSUSE-SU-2024:12498-1","openSUSE-SU-2024:12530-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/11/07/2"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-25"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/commons-bcel","events":[{"introduced":"0"},{"fixed":"cf520ef45064c8fa4f43717ecc789d5a4f6b0d57"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"6.6.0"}]}}],"versions":["BCEL_5_0","BCEL_5_1","BCEL_5_2","BCEL_6_0","BCEL_6_0_RC1","BCEL_6_0_RC2","BCEL_6_0_RC3","BCEL_6_0_RC4","BCEL_6_0_RC5","BCEL_6_0_RC6","BCEL_6_0_RC7","BCEL_6_0_RC8","BCEL_6_1","BCEL_6_1_RC1","BCEL_6_2","BCEL_6_2_RC1","BCEL_6_3","BCEL_6_3_RC1","commons-bcel-6.3.1","commons-bcel-6.3.1-RC1","commons-bcel-6.4.0-RC1","commons-bcel-6.4.0-RC2","commons-bcel-6.4.1-RC1","commons-bcel-6.5.0-RC1","commons-bcel-6.6.0-RC1","initial","rel/commons-bcel-6.4.0","rel/commons-bcel-6.4.1","rel/commons-bcel-6.5.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42920.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}