CVE-2020-2754: 
NixOS vulnerability analysis and mitigation

CVE-2020-2754 is a vulnerability discovered in Oracle Java SE and Java SE Embedded products, affecting versions Java SE: 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. The vulnerability was disclosed in April 2020 as part of Oracle's Critical Patch Update (Oracle CPU). It specifically affects the Scripting component of Java SE and involves a misplaced regular expression syntax error check in RegExpScanner (Ubuntu Notice).

The vulnerability is classified as difficult to exploit and has a CVSS 3.0 Base Score of 3.7 (Low severity) with the following vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability can be exploited through network access via multiple protocols, and does not require user privileges or interaction. It affects both client and server deployments of Java and can be exploited through sandboxed Java Web Start applications, sandboxed Java applets, or by supplying data to APIs in the specified Component without using sandboxed applications (NetApp Advisory).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE and Java SE Embedded. The impact is limited to availability with no direct effects on confidentiality or integrity of the system (MITRE CVE).

Oracle released patches for this vulnerability in their April 2020 Critical Patch Update. The fixed versions include Java SE versions 8u252, 11.0.7, and 14.0.1. Users are strongly recommended to update to these patched versions. For Java SE 8, the update is available as version 1.8.0.252.b09 (Red Hat Advisory).