Unauthenticated Network Vulnerability in Oracle Java SE and GraalVM Products
CVE-2024-20918

7.4HIGH

Key Information:

Vendor: Oracle
Status: Java SE JDK and JRE
Vendor: CVE Published:; 16 January 2024

Summary

A vulnerability in Oracle Java SE and GraalVM products allows unauthenticated attackers with network access to exploit the system through multiple protocols. This flaw primarily affects versions such as Oracle Java SE 8u391, 11.0.21, and GraalVM for JDK 17.0.9. The vulnerability grants the potential for unauthorized creation, deletion, or modification of crucial data, as well as complete access to all data processed by the affected products. Successful exploitation can occur through APIs in the Hotspot component, especially in environments relying on Java for executing untrusted code, such as sandboxed applications. Security measures are recommended to mitigate these risks.

Affected Version(s)

Java SE JDK and JRE Oracle Java SE:8u391

Java SE JDK and JRE Oracle Java SE:8u391-perf

Java SE JDK and JRE Oracle Java SE:11.0.21

References

https://www.oracle.com/security-alerts/cpujan2024.html

vendor-advisory

https://lists.debian.org/debian-lts-announce/2024/01/msg0...

https://security.netapp.com/advisory/ntap-20240201-0002/

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Dec 7, 2023