CVE-2020-2800: 
NixOS vulnerability analysis and mitigation

CVE-2020-2800 is a vulnerability in the Java SE and Java SE Embedded products from Oracle Java SE, specifically affecting the Lightweight HTTP Server component. The affected versions include Java SE versions 7u251, 8u241, 11.0.6, and 14, as well as Java SE Embedded version 8u241. This vulnerability was disclosed in April 2020 as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability is characterized as a CRLF (Carriage Return Line Feed) injection issue in HTTP headers. The issue stems from mishandling of CR/LF characters in header values in the Lightweight HTTP Server component. The vulnerability has a CVSS 3.0 Base Score of 4.8 (Medium) with a vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with high attack complexity (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data, as well as unauthorized read access to a subset of Java SE accessible data. The vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service (NVD).

Oracle released patches for this vulnerability in their April 2020 Critical Patch Update. Users should upgrade to Java SE versions 7u261, 8u252, 11.0.7, or later versions. Various Linux distributions have also released security updates including Ubuntu (8u252-b09-1), Debian (11.0.7+10-3~deb10u1), and OpenSUSE (java-1_8_0-openjdk-1.8.0.252) (Ubuntu Notice, Debian Advisory).