6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.041 Low
EPSS
Percentile
92.2%
JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10.
Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community.
JavaFX WebEngine component is capable of web content rendering, and possible to be configured to allow JavaScript code to execute Java methods.
WebEngine component does not properly restrict Java methods execution(CWE-470).
This vulnerability is similar to CVE-2012-6636 of Android WebView component.
When a JavaFX application renders crafted web contents, an arbitrary Java code may be executed with the application’s privilege.
Update the software
JavaFX application developers should update their applications with the latest version of JavaFX library.
JavaFX application users should update their Java execution environment to the latest version.
JavaFX library in OracleJDK 8u251 and JavaFX 14.0.1 restrict a number of Java methods callable from JavaScript code.
Please refer to release notes for details.