Oracle Java SE Vulnerability Affects Multiple Versions, Including 8u391, 11.0.21, and 21.0.1
CVE-2024-20952

7.4HIGH

Key Information:

Vendor: Oracle
Status: Java Se Jdk And Jre
Vendor: CVE Published:; 16 January 2024

Summary

This vulnerability impacts Oracle Java SE and GraalVM products, allowing unauthenticated attackers with network access through various protocols to exploit critical weaknesses. It targets Java deployments, specifically those running sandboxed Java Web Start applications or applets that load untrusted code from the internet. Successful exploitation could lead to the unauthorized creation, deletion, or alteration of critical data. Notably, the vulnerability does not affect trusted Java deployments running on servers. Users are encouraged to update their systems to mitigate potential risks associated with this security issue.

Affected Version(s)

Java SE JDK and JRE Oracle Java SE:8u391

Java SE JDK and JRE Oracle Java SE:8u391-perf

Java SE JDK and JRE Oracle Java SE:11.0.21

References

https://www.oracle.com/security-alerts/cpujan2024.html

vendor-advisory

https://lists.debian.org/debian-lts-announce/2024/01/msg0...

https://security.netapp.com/advisory/ntap-20240201-0002/

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Dec 7, 2023