Security Vulnerability in Oracle Java SE and GraalVM Products
CVE-2024-20932

7.5HIGH

Key Information:

Vendor: Oracle
Status: Java Se Jdk And Jre
Vendor: CVE Published:; 16 January 2024

Summary

A vulnerability has been identified in Oracle Java SE, along with its GraalVM for JDK and GraalVM Enterprise Edition products. This issue allows unauthenticated attackers with network access through multiple protocols to potentially compromise the integrity of data stored within these systems. The risk is notably prominent in Java deployments that utilize sandboxed applications, particularly those running untrusted code, such as Java Web Start applications or applets sourced from the internet. Attackers could leverage this flaw to create, delete, or modify critical data, thus posing a significant threat to the security of information processed by affected Oracle products. It is critical for users operating in environments reliant on Java's security mechanisms to remain vigilant and apply appropriate mitigations.

Affected Version(s)

Java SE JDK and JRE Oracle Java SE:17.0.9

Java SE JDK and JRE Oracle GraalVM for JDK:17.0.9

Java SE JDK and JRE Oracle GraalVM Enterprise Edition:21.3.8

References

https://www.oracle.com/security-alerts/cpujan2024.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240201-0002/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Dec 7, 2023