Search for vulnerabilities
Vulnerability details: VCID-2kq3-s3q7-vbcn
Vulnerability ID VCID-2kq3-s3q7-vbcn
Aliases CVE-2022-42920
GHSA-97xg-phpr-rg8q
Summary Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-787 Out-of-bounds Write
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 8.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42920.json
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
epss 0.03792 https://api.first.org/data/v1/epss?cve=CVE-2022-42920
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-97xg-phpr-rg8q
cvssv3.1 9.8 https://github.com/apache/commons-bcel
generic_textual CRITICAL https://github.com/apache/commons-bcel
cvssv3.1 9.8 https://github.com/apache/commons-bcel/pull/147
generic_textual CRITICAL https://github.com/apache/commons-bcel/pull/147
cvssv3.1 9.8 https://issues.apache.org/jira/browse/BCEL-363
generic_textual CRITICAL https://issues.apache.org/jira/browse/BCEL-363
cvssv3.1 9.8 https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
generic_textual CRITICAL https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
cvssv3.1 9.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4
generic_textual CRITICAL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4
cvssv3.1 9.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD
generic_textual CRITICAL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD
cvssv3.1 9.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ
generic_textual CRITICAL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ
cvssv3.1 9.8 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4
generic_textual CRITICAL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4
cvssv3.1 9.8 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD
generic_textual CRITICAL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD
cvssv3.1 9.8 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ
generic_textual CRITICAL https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-42920
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2022-42920
cvssv3.1 9.8 https://security.gentoo.org/glsa/202401-25
generic_textual CRITICAL https://security.gentoo.org/glsa/202401-25
cvssv3.1 9.8 http://www.openwall.com/lists/oss-security/2022/11/07/2
generic_textual CRITICAL http://www.openwall.com/lists/oss-security/2022/11/07/2
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42920.json
https://api.first.org/data/v1/epss?cve=CVE-2022-42920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42920
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/commons-bcel
https://github.com/apache/commons-bcel/pull/147
https://issues.apache.org/jira/browse/BCEL-363
https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ/
https://nvd.nist.gov/vuln/detail/CVE-2022-42920
https://security.gentoo.org/glsa/202401-25
http://www.openwall.com/lists/oss-security/2022/11/07/2
2142707 https://bugzilla.redhat.com/show_bug.cgi?id=2142707
cpe:2.3:a:apache:commons_bcel:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:commons_bcel:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
GHSA-97xg-phpr-rg8q https://github.com/advisories/GHSA-97xg-phpr-rg8q
RHSA-2022:8958 https://access.redhat.com/errata/RHSA-2022:8958
RHSA-2022:8959 https://access.redhat.com/errata/RHSA-2022:8959
RHSA-2023:0004 https://access.redhat.com/errata/RHSA-2023:0004
RHSA-2023:0005 https://access.redhat.com/errata/RHSA-2023:0005
RHSA-2023:0470 https://access.redhat.com/errata/RHSA-2023:0470
RHSA-2023:0471 https://access.redhat.com/errata/RHSA-2023:0471
RHSA-2023:0934 https://access.redhat.com/errata/RHSA-2023:0934
RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983
USN-7208-1 https://usn.ubuntu.com/7208-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-42920.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/commons-bcel
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/commons-bcel/pull/147
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://issues.apache.org/jira/browse/BCEL-363
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-42920
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202401-25
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2022/11/07/2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.87637
EPSS Score 0.03792
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:48:39.894260+00:00 Ubuntu USN Importer Import https://usn.ubuntu.com/7208-1/ 37.0.0