Scripting Vulnerability in Oracle Java SE and GraalVM Products
CVE-2024-20926

5.9MEDIUM

Key Information:

Vendor: Oracle
Status: Java SE JDK and JRE
Vendor: CVE Published:; 16 January 2024

Summary

A vulnerability exists in Oracle Java SE and GraalVM products that enables unauthenticated attackers with network access to potentially compromise systems through multiple protocols. This vulnerability, primarily concerning the Scripting component, could lead to unauthorized access to critical data or grant full access to all data accessible through these platforms. It poses significant risks, particularly for Java applications using untrusted code in sandboxed environments. The loss of confidentiality associated with this vulnerability highlights the need for immediate awareness and remediation.

Affected Version(s)

Java SE JDK and JRE Oracle Java SE:8u391

Java SE JDK and JRE Oracle Java SE:8u391-perf

Java SE JDK and JRE Oracle Java SE:11.0.21

References

https://www.oracle.com/security-alerts/cpujan2024.html

vendor-advisory

https://lists.debian.org/debian-lts-announce/2024/01/msg0...

https://security.netapp.com/advisory/ntap-20240201-0002/

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Dec 7, 2023