Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: ImageIO). Supported versions that are affected
are Java SE: 7u311, 8u301, 11.0.12, 17; Oracle GraalVM Enterprise Edition:
20.3.3 and 21.2.0. Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java SE,
Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability
can result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Oracle GraalVM Enterprise Edition. Note: This
vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability can also be exploited
by using APIs in the specified Component, e.g., through a web service which
supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts).
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

it was discovered that OpenJDK did not properly restrict the amount
of memory allocated when processing BMP images. An attacker could
use this to specially craft a BMP image file that could cause a
denial of service.