Vulnerability in Oracle Java SE and GraalVM Enterprise Edition Affecting Multiple Versions
CVE-2024-21002

2.5LOW

Key Information:

Vendor: Oracle
Status: Java Se Jdk And Jre
Vendor: CVE Published:; 16 April 2024

Summary

A vulnerability exists within the Oracle Java SE and GraalVM Enterprise Edition products, specifically in the JavaFX component. This vulnerability allows an unauthenticated attacker who can log on to the infrastructure where these products are running to potentially exploit the system. Successful exploitation requires interaction from a user other than the attacker, making it particularly insidious. It poses risks of unauthorized access, including the ability to update, insert, or delete data within the systems. The vulnerability is particularly relevant for Java deployments utilizing sandboxed Java Web Start applications or applets that execute untrusted code, emphasizing the risks associated with loading external code without proper validation.

Affected Version(s)

Java SE JDK and JRE Oracle Java SE:8u401

Java SE JDK and JRE Oracle GraalVM Enterprise Edition:20.3.13

Java SE JDK and JRE Oracle GraalVM Enterprise Edition:21.3.9

References

https://www.oracle.com/security-alerts/cpuapr2024.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20240426-0004/

CVSS V3.1

Score:

2.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 16, 2024