{"id":"USN-7901-1","summary":"openjdk-21-crac vulnerabilities","details":"Jinfeng Guo discovered that the Security component of CRaC JDK 21 did not\ncorrectly handle certain representations of encoded strings. An\nunauthenticated remote attacker could possibly use this issue to modify\nfiles or leak sensitive information. (CVE-2025-53057)\n\nDarius Bohni discovered that the JAXP component of CRaC JDK 21 was\nvulnerable to a XML External Entity (XEE) attack. An unauthenticated remote\nattacker could possibly use this issue to modify files or leak sensitive\ninformation. (CVE-2025-53066)\n\nYakov Shafranovich discovered that the Libraries component of CRaC JDK 21\ncontained an issue where certain Strings built with StringBuilder returned\nan incorrect result for String.equals() checks. An unauthenticated remote\nattacker could possibly use this issue to update, insert, or delete\naccessible data. (CVE-2025-61748)\n\nIn addition to security fixes, the updated packages contain bug fixes, new\nfeatures, and possibly incompatible changes.\n\nPlease see the following for more information:\nhttps://openjdk.org/groups/vulnerability/advisories/2025-10-21","modified":"2026-04-27T18:28:22.554984Z","published":"2025-12-01T14:42:39Z","related":["UBUNTU-CVE-2025-53057","UBUNTU-CVE-2025-53066","UBUNTU-CVE-2025-61748"],"upstream":["CVE-2025-53057","CVE-2025-53066","CVE-2025-61748","UBUNTU-CVE-2025-53057","UBUNTU-CVE-2025-53066","UBUNTU-CVE-2025-61748"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7901-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-53057"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-53066"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-61748"}],"affected":[{"package":{"name":"openjdk-21-crac","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/openjdk-21-crac@21.0.9+10-0ubuntu1~25.10?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"21.0.9+10-0ubuntu1~25.10"}]}],"versions":["21.0.6+7-0ubuntu1","21.0.7+6.1-0ubuntu1","21.0.8+9-0ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"openjdk-21-crac-demo","binary_version":"21.0.9+10-0ubuntu1~25.10"},{"binary_name":"openjdk-21-crac-jdk","binary_version":"21.0.9+10-0ubuntu1~25.10"},{"binary_name":"openjdk-21-crac-jdk-headless","binary_version":"21.0.9+10-0ubuntu1~25.10"},{"binary_name":"openjdk-21-crac-jre","binary_version":"21.0.9+10-0ubuntu1~25.10"},{"binary_name":"openjdk-21-crac-jre-headless","binary_version":"21.0.9+10-0ubuntu1~25.10"},{"binary_name":"openjdk-21-crac-jre-zero","binary_version":"21.0.9+10-0ubuntu1~25.10"},{"binary_name":"openjdk-21-crac-source","binary_version":"21.0.9+10-0ubuntu1~25.10"},{"binary_name":"openjdk-21-crac-testsupport","binary_version":"21.0.9+10-0ubuntu1~25.10"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7901-1.json","cves_map":{"cves":[{"id":"CVE-2025-53057","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2025-53066","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2025-61748","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:25.10"}}}],"schema_version":"1.7.5"}