CVE-2020-2755: 
NixOS vulnerability analysis and mitigation

CVE-2020-2755 is a vulnerability in Java SE and Java SE Embedded's Scripting component. The affected versions include Java SE versions 8u241, 11.0.6, and 14, as well as Java SE Embedded version 8u241. This vulnerability was discovered and disclosed in December 2019 (MITRE).

The vulnerability involves incorrect handling of empty string nodes in the regular expression Parser component. It has been assigned a CVSS 3.0 Base Score of 3.7 (Low) with the vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified as difficult to exploit and requires network access via multiple protocols (NVD).

A successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE and Java SE Embedded. The vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets, as well as through data supplied to APIs in the specified Component without using sandboxed applications (MITRE).

Oracle released patches for this vulnerability in their April 2020 Critical Patch Update. Users should update to Java SE versions 8u252, 11.0.7, or later versions. For Java SE 8, the fixed version is 8u252-b09. For systems running OpenJDK, similar version updates are available through various distributions (RedHat, Debian).