CVE-2022-39259

描述

### Impact Using jadx-gui to open a special zip file with entry containing HTML sequence like `<html><frame>` will cause interface to get stuck and throw exceptions like: ``` java.lang.RuntimeException: Can't build aframeset, BranchElement(frameset) 1,3 :no ROWS or COLS defined. at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory.create(HTMLEditorKit.java:1387) at java.desktop/javax.swing.plaf.basic.BasicHTML$BasicHTMLViewFactory.create(BasicHTML.java:379) at java.desktop/javax.swing.text.CompositeView.loadChildren(CompositeView.java:112) ``` ### References https://www.oracle.com/java/technologies/javase/seccodeguide.html Guideline 3-7 / INJECT-7: Disable HTML display in Swing components: Many Swing pluggable look-and-feels interpret text in certain components starting with <html> as HTML. If the text is from an untrusted source, an adversary may craft the HTML such that other components appear to be present or to perform inclusion attacks. To disable the HTML render feature, set the "html.disable" client property of each component to Boolean.TRUE (no other Boolean true instance will do). ```java label.putClientProperty("html.disable", true); ```

如何修補 CVE-2022-39259

要修補 CVE-2022-39259,請將受影響套件升級到下列已修補版本。

—升級至 1.4.5 或更新版本

CVE-2022-39259 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 1.4.5

CVSS 分數

來源

描述

如何修補 CVE-2022-39259

CVE-2022-39259 正在被利用嗎?

受影響套件(1)

CVSS 分數

參考連結(5)