JavaFX Vulnerability in Oracle Java SE and GraalVM Enterprise Edition
CVE-2024-20922

2.5LOW

Key Information:

Vendor: Oracle
Status: Java SE JDK and JRE
Vendor: CVE Published:; 16 January 2024

Summary

A vulnerability exists within Oracle Java SE and Oracle GraalVM Enterprise Edition, particularly affecting the JavaFX component. This vulnerability is challenging to exploit, as it requires an unauthenticated attacker to have logon access to the infrastructure where these products operate. Exploitation demands human interaction from an individual other than the attacker, which raises concerns regarding security particularly in environments running sandboxed Java Web Start applications or applets that execute untrusted code. Successful exploitation can lead to unauthorized access where an attacker can perform operations including updating, inserting, or deleting accessible data. Importantly, this vulnerability does not impact server-side Java deployments that load only trusted code, such as those installed by administrators.

Affected Version(s)

Java SE JDK and JRE Oracle Java SE:8u391

Java SE JDK and JRE Oracle GraalVM Enterprise Edition:20.3.12

Java SE JDK and JRE Oracle GraalVM Enterprise Edition:21.3.8

References

https://www.oracle.com/security-alerts/cpujan2024.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240201-0002/

CVSS V3.1

Score:

2.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Dec 7, 2023