CVE-2024-20955

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.oracle.com/security-alerts/cpujan2024.html	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oracle:graalvm:20.3.12::::enterprise:::
	cpe:2.3:a:oracle:graalvm:21.3.8::::enterprise:::
	cpe:2.3:a:oracle:graalvm:22.3.4::::enterprise:::
	cpe:2.3:a:oracle:graalvm_for_jdk:17.0.9:::::::*
	cpe:2.3:a:oracle:graalvm_for_jdk:21.0.1:::::::*

History

09 Feb 2024, 02:26

Type	Values Removed	Values Added
First Time		Oracle graalvm For Jdk
CPE	cpe:2.3:a:oracle:jre:17.0.9:::::::* cpe:2.3:a:oracle:jdk:17.0.9:::::::*	cpe:2.3:a:oracle:graalvm_for_jdk:17.0.9:::::::* cpe:2.3:a:oracle:graalvm_for_jdk:21.0.1:::::::* cpe:2.3:a:oracle:graalvm:20.3.12::::enterprise:::

26 Jan 2024, 22:15

Type	Values Removed	Values Added
Summary	Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).	Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

23 Jan 2024, 19:42

Type	Values Removed	Values Added
CPE		cpe:2.3:a:oracle:jdk:17.0.9:::::::* cpe:2.3:a:oracle:graalvm:21.3.8::::enterprise::: cpe:2.3:a:oracle:jre:17.0.9:::::::* cpe:2.3:a:oracle:graalvm:22.3.4::::enterprise:::
First Time		Oracle Oracle jre Oracle jdk Oracle graalvm
CWE		NVD-CWE-noinfo
References	~~() https://www.oracle.com/security-alerts/cpujan2024.html -~~	() https://www.oracle.com/security-alerts/cpujan2024.html - Patch, Vendor Advisory

16 Jan 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-16 22:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-20955

Mitre link : CVE-2024-20955

CVE.ORG link : CVE-2024-20955

JSON object : View

Products Affected

oracle

graalvm
graalvm_for_jdk

CWE

NVD-CWE-noinfo

3.7 /10