{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2017-20227", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-28T11:44:17.954Z", "datePublished": "2026-03-28T11:58:11.134Z", "dateUpdated": "2026-03-28T11:58:11.134Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-28T11:58:11.134Z"}, "title": "JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow", "descriptions": [{"lang": "en", "value": "JAD Java Decompiler 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying overly long input that exceeds buffer boundaries. Attackers can craft malicious input passed to the jad command to overflow the stack and execute a return-oriented programming chain that spawns a shell."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out-of-bounds Write", "cweId": "CWE-787", "type": "CWE"}]}], "affected": [{"vendor": "Varaneckas", "product": "JAD Java Decompiler", "versions": [{"version": "1.5.8e", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/42255", "name": "ExploitDB-42255", "tags": ["exploit"]}, {"url": "http://www.varaneckas.com/jad/", "name": "Official Product Homepage", "tags": ["product"]}, {"name": "VulnCheck Advisory: JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/jad-8e-1kali1-stack-based-buffer-overflow"}], "credits": [{"lang": "en", "value": "Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2017-06-26T00:00:00.000Z"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "JAD Java Decompiler 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying overly long input that exceeds buffer boundaries. Attackers can craft malicious input passed to the jad command to overflow the stack and execute a return-oriented programming chain that spawns a shell."}], "id": "CVE-2017-20227", "lastModified": "2026-03-30T13:26:07.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-28T12:16:01.993", "references": [{"source": "disclosure@vulncheck.com", "url": "http://www.varaneckas.com/jad/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/42255"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/jad-8e-1kali1-stack-based-buffer-overflow"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.5.8e"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "JAD Java Decompiler", "source": "cna", "vendor": "Varaneckas"}, "product": "jad_java_decompiler", "vendor": "varaneckas"}], "analysis": {"en": {"generated_at": "2026-03-28T13:51:25.162320+00:00", "value": {"mitigation_remediation": ["Upgrade or replace JAD with a non\u2011vulnerable version if one is available", "If a replacement is not immediately possible, restrict execution of the jad binary to trusted users only", "Run the jad executable in a sandboxed or isolated environment to limit potential impact", "Monitor vendor channels for updates and apply any released patches promptly"], "summary": {"action": "Apply Upgrade", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Varaneckas JAD Java Decompiler 1.5.8e-1kali1 and any earlier releases. It is relevant on any operating system where the jad binary can be executed. No other vendors or products are listed as affected.", "description_and_impact": "JAD Java Decompiler version 1.5.8e-1kali1 and earlier contains a stack-based buffer overflow that can be triggered by providing an overly long input to the jad command. The overflow permits an attacker to overwrite the stack, launch a return-oriented programming chain, and spawn a shell, resulting in arbitrary code execution. This weakness corresponds to CWE\u2011787, a classic stack buffer overflow.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a severe impact. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. The attacker needs the ability to supply input to the jad command, which typically requires local execution of the binary. This inference is based on the description that the overflow is triggered by crafted input passed to the jad executable; no network-based service is mentioned for exploitation."}}}}, "created": "2026-03-29T20:32:19.883053+00:00", "updated": "2026-03-30T06:59:13.774821+00:00", "vendors": ["varaneckas", "varaneckas$PRODUCT$jad_java_decompiler"]}