CVE-2024-20919 : Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Ente

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Published 2024-02-17 02:15:47

Updated 2024-12-09 16:42:40

Source Oracle

View at NVD, CVE.org

Products affected by CVE-2024-20919

Oracle » JDK » Version: 1.8.0 Update Update391
cpe:2.3:a:oracle:jdk:1.8.0:update391:*:*:-:*:*:*
Matching versions
Oracle » JDK » Version: 1.8.0 Update Update391 Enterprise Performance Pack Edition
cpe:2.3:a:oracle:jdk:1.8.0:update391:*:*:enterprise_performance_pack:*:*:*
Matching versions
Oracle » JDK » Version: 11.0.21
cpe:2.3:a:oracle:jdk:11.0.21:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 17.0.9
cpe:2.3:a:oracle:jdk:17.0.9:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 21.0.1
cpe:2.3:a:oracle:jdk:21.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.8.0 Update Update391
cpe:2.3:a:oracle:jre:1.8.0:update391:*:*:-:*:*:*
Matching versions
Oracle » JRE » Version: 1.8.0 Update Update391 Enterprise Performance Pack Edition
cpe:2.3:a:oracle:jre:1.8.0:update391:*:*:enterprise_performance_pack:*:*:*
Matching versions
Oracle » JRE » Version: 11.0.21
cpe:2.3:a:oracle:jre:11.0.21:*:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 17.0.9
cpe:2.3:a:oracle:jre:17.0.9:*:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 21.0.1
cpe:2.3:a:oracle:jre:21.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Graalvm » Version: 20.3.12 Enterprise Edition
cpe:2.3:a:oracle:graalvm:20.3.12:*:*:*:enterprise:*:*:*
Matching versions
Oracle » Graalvm » Version: 21.3.8 Enterprise Edition
cpe:2.3:a:oracle:graalvm:21.3.8:*:*:*:enterprise:*:*:*
Matching versions
Oracle » Graalvm » Version: 22.3.4 Enterprise Edition
cpe:2.3:a:oracle:graalvm:22.3.4:*:*:*:enterprise:*:*:*
Matching versions
Oracle » Graalvm For Jdk » Version: 17.0.9
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.9:*:*:*:*:*:*:*
Matching versions
Oracle » Graalvm For Jdk » Version: 21.0.1
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-20919

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 31 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-20919

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	Oracle	2024-02-17
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

References for CVE-2024-20919

https://www.oracle.com/security-alerts/cpujan2024.html

Oracle Critical Patch Update Advisory - January 2024
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-20919

Products affected by CVE-2024-20919

Exploit prediction scoring system (EPSS) score for CVE-2024-20919

CVSS scores for CVE-2024-20919

References for CVE-2024-20919