{"id":"USN-7900-1","summary":"openjdk-17-crac vulnerabilities","details":"Jinfeng Guo discovered that the Security component of CRaC JDK 17 did not\ncorrectly handle certain representations of encoded strings. An\nunauthenticated remote attacker could possibly use this issue to modify\nfiles or leak sensitive information. (CVE-2025-53057)\n\nDarius Bohni discovered that the JAXP component of CRaC JDK 17 was\nvulnerable to a XML External Entity (XEE) attack. An unauthenticated\nremote attacker could possibly use this issue to modify files or leak\nsensitive information. (CVE-2025-53066)\n\nIn addition to security fixes, the updated packages contain bug fixes, new\nfeatures, and possibly incompatible changes.\n\nPlease see the following for more information:\nhttps://openjdk.org/groups/vulnerability/advisories/2025-10-21","modified":"2026-04-27T18:28:25.859871Z","published":"2025-12-01T14:37:11Z","related":["UBUNTU-CVE-2025-53057","UBUNTU-CVE-2025-53066"],"upstream":["CVE-2025-53057","CVE-2025-53066","UBUNTU-CVE-2025-53057","UBUNTU-CVE-2025-53066"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7900-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-53057"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-53066"}],"affected":[{"package":{"name":"openjdk-17-crac","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/openjdk-17-crac@17.0.17+10-0ubuntu1~25.10?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"17.0.17+10-0ubuntu1~25.10"}]}],"versions":["17.0.14+7-0ubuntu1","17.0.15+6-0ubuntu1","17.0.16+8-0ubuntu1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"openjdk-17-crac-demo","binary_version":"17.0.17+10-0ubuntu1~25.10"},{"binary_name":"openjdk-17-crac-jdk","binary_version":"17.0.17+10-0ubuntu1~25.10"},{"binary_name":"openjdk-17-crac-jdk-headless","binary_version":"17.0.17+10-0ubuntu1~25.10"},{"binary_name":"openjdk-17-crac-jre","binary_version":"17.0.17+10-0ubuntu1~25.10"},{"binary_name":"openjdk-17-crac-jre-headless","binary_version":"17.0.17+10-0ubuntu1~25.10"},{"binary_name":"openjdk-17-crac-jre-zero","binary_version":"17.0.17+10-0ubuntu1~25.10"},{"binary_name":"openjdk-17-crac-source","binary_version":"17.0.17+10-0ubuntu1~25.10"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7900-1.json","cves_map":{"ecosystem":"Ubuntu:25.10","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-53057"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-53066"}]}}}],"schema_version":"1.7.5"}