Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2024-AVI-0594
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Oracle Java SE. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | Java SE | Java SE versions 11.x antérieures à 11.0.24, versions 17.x antérieures à 17.0.12, versions 21.x antérieures à 21.0.4 et versions 22.x antérieures à 22.0.2 | ||
| Oracle | Java SE | GraalVM for JDK versions 17.x antérieures à 17.0.12, versions 21.x antérieures à 21.0.4 et versions 22.x antérieures à 22.0.2 | ||
| Oracle | Java SE | GraalVM Enterprise Edition versions 20.x antérieures à 20.3.15 et versions 21.x antérieures à 21.3.11 | ||
| Oracle | Java SE | Java SE versions 8u411 et 8u411-perf sans les derniers correctifs de sécurité |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Java SE versions 11.x ant\u00e9rieures \u00e0 11.0.24, versions 17.x ant\u00e9rieures \u00e0 17.0.12, versions 21.x ant\u00e9rieures \u00e0 21.0.4 et versions 22.x ant\u00e9rieures \u00e0 22.0.2",
"product": {
"name": "Java SE",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "GraalVM for JDK versions 17.x ant\u00e9rieures \u00e0 17.0.12, versions 21.x ant\u00e9rieures \u00e0 21.0.4 et versions 22.x ant\u00e9rieures \u00e0 22.0.2 ",
"product": {
"name": "Java SE",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "GraalVM Enterprise Edition versions 20.x ant\u00e9rieures \u00e0 20.3.15 et versions 21.x ant\u00e9rieures \u00e0 21.3.11",
"product": {
"name": "Java SE",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Java SE versions 8u411 et 8u411-perf sans les derniers correctifs de s\u00e9curit\u00e9",
"product": {
"name": "Java SE",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-21144",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21144"
},
{
"name": "CVE-2024-27983",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27983"
},
{
"name": "CVE-2024-21147",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21147"
},
{
"name": "CVE-2024-21140",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21140"
},
{
"name": "CVE-2024-21138",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21138"
},
{
"name": "CVE-2024-21145",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21145"
},
{
"name": "CVE-2024-21131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21131"
}
],
"initial_release_date": "2024-07-17T00:00:00",
"last_revision_date": "2024-07-17T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0594",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-07-17T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Java SE. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Java SE",
"vendor_advisories": [
{
"published_at": "2024-07-16",
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujul2024",
"url": "https://www.oracle.com/security-alerts/cpujul2024.html#AppendixJAVA"
},
{
"published_at": "2024-07-16",
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpujul2024verbose",
"url": "https://www.oracle.com/security-alerts/cpujul2024verbose.html#JAVA"
}
]
}
CVE-2024-21138 (GCVE-0-2024-21138)
Vulnerability from cvelistv5
Published
2024-07-16 22:39
Modified
2025-03-13 17:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | Java SE JDK and JRE |
Version: Oracle Java SE:8u411 Version: Oracle Java SE:8u411-perf Version: Oracle Java SE:11.0.23 Version: Oracle Java SE:17.0.11 Version: Oracle Java SE:21.0.3 Version: Oracle Java SE:22.0.1 Version: Oracle GraalVM for JDK:17.0.11 Version: Oracle GraalVM for JDK:21.0.3 Version: Oracle GraalVM for JDK:22.0.1 Version: Oracle GraalVM Enterprise Edition:20.3.14 Version: Oracle GraalVM Enterprise Edition:21.3.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T13:32:40.581780Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:09:26.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:13:42.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Java SE JDK and JRE",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Oracle Java SE:8u411"
},
{
"status": "affected",
"version": "Oracle Java SE:8u411-perf"
},
{
"status": "affected",
"version": "Oracle Java SE:11.0.23"
},
{
"status": "affected",
"version": "Oracle Java SE:17.0.11"
},
{
"status": "affected",
"version": "Oracle Java SE:21.0.3"
},
{
"status": "affected",
"version": "Oracle Java SE:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:17.0.11"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:21.0.3"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:20.3.14"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:21.3.10"
}
]
}
],
"descriptions": [
{
"lang": "en-US",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
"lang": "en-US"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T13:06:11.463Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2024-21138",
"datePublished": "2024-07-16T22:39:56.205Z",
"dateReserved": "2023-12-07T22:28:10.682Z",
"dateUpdated": "2025-03-13T17:09:26.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27983 (GCVE-0-2024-27983)
Vulnerability from cvelistv5
Published
2024-04-09 01:06
Modified
2025-04-30 22:25
Severity ?
VLAI Severity ?
EPSS score ?
Summary
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NodeJS | Node |
Version: 4.0 ≤ Version: 5.0 ≤ Version: 6.0 ≤ Version: 7.0 ≤ Version: 8.0 ≤ Version: 9.0 ≤ Version: 10.0 ≤ Version: 11.0 ≤ Version: 12.0 ≤ Version: 13.0 ≤ Version: 14.0 ≤ Version: 15.0 ≤ Version: 16.0 ≤ Version: 17.0 ≤ Version: 18.0 ≤ Version: 19.0 ≤ Version: 20.0 ≤ Version: 21.0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/2319584"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0002/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nodejs:nodejs:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "nodejs",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "18.20.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "20.12.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "21.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T19:14:56.001352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T18:08:27.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Node",
"vendor": "NodeJS",
"versions": [
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.*",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.*",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.20.1",
"status": "affected",
"version": "18.0",
"versionType": "semver"
},
{
"lessThan": "19.*",
"status": "affected",
"version": "19.0",
"versionType": "semver"
},
{
"lessThan": "20.12.1",
"status": "affected",
"version": "20.0",
"versionType": "semver"
},
{
"lessThan": "21.7.2",
"status": "affected",
"version": "21.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T22:25:15.944Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/2319584"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDECX4BYZLMM4S4LALN4DPZ2HUTTPLKE/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YDVFUH7ACZPYB3BS4SVILNOY7NQU73VW/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240510-0002/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2024-27983",
"datePublished": "2024-04-09T01:06:43.681Z",
"dateReserved": "2024-02-29T01:04:06.641Z",
"dateUpdated": "2025-04-30T22:25:15.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21147 (GCVE-0-2024-21147)
Vulnerability from cvelistv5
Published
2024-07-16 22:39
Modified
2025-02-13 17:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | Java SE JDK and JRE |
Version: Oracle Java SE:8u411 Version: Oracle Java SE:8u411-perf Version: Oracle Java SE:11.0.23 Version: Oracle Java SE:17.0.11 Version: Oracle Java SE:21.0.3 Version: Oracle Java SE:22.0.1 Version: Oracle GraalVM for JDK:17.0.11 Version: Oracle GraalVM for JDK:21.0.3 Version: Oracle GraalVM for JDK:22.0.1 Version: Oracle GraalVM Enterprise Edition:20.3.14 Version: Oracle GraalVM Enterprise Edition:21.3.10 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "java_se",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8u411"
},
{
"status": "affected",
"version": "8u411-perf"
},
{
"status": "affected",
"version": "11.0.23"
},
{
"status": "affected",
"version": "17.0.11"
},
{
"status": "affected",
"version": "21.0.3"
},
{
"status": "affected",
"version": "22.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:graalvm_for_jdk:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "graalvm_for_jdk",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "17.0.11"
},
{
"status": "affected",
"version": "21.0.3"
},
{
"status": "affected",
"version": "22.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:graalvm_enterprise_edition:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "graalvm_enterprise_edition",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "20.3.14"
},
{
"status": "affected",
"version": "21.3.10"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T03:55:25.572Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:13:42.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Java SE JDK and JRE",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Oracle Java SE:8u411"
},
{
"status": "affected",
"version": "Oracle Java SE:8u411-perf"
},
{
"status": "affected",
"version": "Oracle Java SE:11.0.23"
},
{
"status": "affected",
"version": "Oracle Java SE:17.0.11"
},
{
"status": "affected",
"version": "Oracle Java SE:21.0.3"
},
{
"status": "affected",
"version": "Oracle Java SE:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:17.0.11"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:21.0.3"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:20.3.14"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:21.3.10"
}
]
}
],
"descriptions": [
{
"lang": "en-US",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
"lang": "en-US"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T13:06:13.008Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2024-21147",
"datePublished": "2024-07-16T22:39:59.298Z",
"dateReserved": "2023-12-07T22:28:10.683Z",
"dateUpdated": "2025-02-13T17:33:14.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21140 (GCVE-0-2024-21140)
Vulnerability from cvelistv5
Published
2024-07-16 22:39
Modified
2025-02-13 17:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | Java SE JDK and JRE |
Version: Oracle Java SE:8u411 Version: Oracle Java SE:8u411-perf Version: Oracle Java SE:11.0.23 Version: Oracle Java SE:17.0.11 Version: Oracle Java SE:21.0.3 Version: Oracle Java SE:22.0.1 Version: Oracle GraalVM for JDK:17.0.11 Version: Oracle GraalVM for JDK:21.0.3 Version: Oracle GraalVM for JDK:22.0.1 Version: Oracle GraalVM Enterprise Edition:20.3.14 Version: Oracle GraalVM Enterprise Edition:21.3.10 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:oracle:java_se:8u411:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "java_se",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8u411"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:java_se:8u411-perf:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "java_se",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "8u411-perf"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:java_se:11.0.23:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "java_se",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "11.0.23"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:java_se:17.0.11:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "java_se",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "17.0.11"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:java_se:21.0.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "java_se",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.3"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:java_se:22.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "java_se",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "22.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jdk:17.0.11:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jdk",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "17.0.11"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jdk:21.0.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jdk",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.0.3"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jdk:22.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jdk",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "22.0.1"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jre:20.3.14:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jre",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "20.3.14"
}
]
},
{
"cpes": [
"cpe:2.3:a:oracle:jre:21.3.10:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jre",
"vendor": "oracle",
"versions": [
{
"status": "affected",
"version": "21.3.10"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T13:27:50.068398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T15:24:58.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:13:42.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Java SE JDK and JRE",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Oracle Java SE:8u411"
},
{
"status": "affected",
"version": "Oracle Java SE:8u411-perf"
},
{
"status": "affected",
"version": "Oracle Java SE:11.0.23"
},
{
"status": "affected",
"version": "Oracle Java SE:17.0.11"
},
{
"status": "affected",
"version": "Oracle Java SE:21.0.3"
},
{
"status": "affected",
"version": "Oracle Java SE:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:17.0.11"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:21.0.3"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:20.3.14"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:21.3.10"
}
]
}
],
"descriptions": [
{
"lang": "en-US",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
"lang": "en-US"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T13:06:09.873Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2024-21140",
"datePublished": "2024-07-16T22:39:56.895Z",
"dateReserved": "2023-12-07T22:28:10.682Z",
"dateUpdated": "2025-02-13T17:33:12.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21131 (GCVE-0-2024-21131)
Vulnerability from cvelistv5
Published
2024-07-16 22:39
Modified
2025-02-13 17:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | Java SE JDK and JRE |
Version: Oracle Java SE:8u411 Version: Oracle Java SE:8u411-perf Version: Oracle Java SE:11.0.23 Version: Oracle Java SE:17.0.11 Version: Oracle Java SE:21.0.3 Version: Oracle Java SE:22.0.1 Version: Oracle GraalVM for JDK:17.0.11 Version: Oracle GraalVM for JDK:21.0.3 Version: Oracle GraalVM for JDK:22.0.1 Version: Oracle GraalVM Enterprise Edition:20.3.14 Version: Oracle GraalVM Enterprise Edition:21.3.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T13:34:16.932375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T17:07:59.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:13:42.680Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Java SE JDK and JRE",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Oracle Java SE:8u411"
},
{
"status": "affected",
"version": "Oracle Java SE:8u411-perf"
},
{
"status": "affected",
"version": "Oracle Java SE:11.0.23"
},
{
"status": "affected",
"version": "Oracle Java SE:17.0.11"
},
{
"status": "affected",
"version": "Oracle Java SE:21.0.3"
},
{
"status": "affected",
"version": "Oracle Java SE:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:17.0.11"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:21.0.3"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:20.3.14"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:21.3.10"
}
]
}
],
"descriptions": [
{
"lang": "en-US",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
"lang": "en-US"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T13:06:06.593Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2024-21131",
"datePublished": "2024-07-16T22:39:53.849Z",
"dateReserved": "2023-12-07T22:28:10.682Z",
"dateUpdated": "2025-02-13T17:33:11.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21144 (GCVE-0-2024-21144)
Vulnerability from cvelistv5
Published
2024-07-16 22:39
Modified
2025-03-25 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | Java SE JDK and JRE |
Version: Oracle Java SE:8u411 Version: Oracle Java SE:8u411-perf Version: Oracle Java SE:11.0.23 Version: Oracle GraalVM Enterprise Edition:20.3.14 Version: Oracle GraalVM Enterprise Edition:21.3.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T14:20:24.869765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-25T16:48:54.241Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:13:42.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240719-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Java SE JDK and JRE",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Oracle Java SE:8u411"
},
{
"status": "affected",
"version": "Oracle Java SE:8u411-perf"
},
{
"status": "affected",
"version": "Oracle Java SE:11.0.23"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:20.3.14"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:21.3.10"
}
]
}
],
"descriptions": [
{
"lang": "en-US",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition.",
"lang": "en-US"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T13:06:18.095Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240719-0007/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2024-21144",
"datePublished": "2024-07-16T22:39:58.306Z",
"dateReserved": "2023-12-07T22:28:10.683Z",
"dateUpdated": "2025-03-25T16:48:54.241Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21145 (GCVE-0-2024-21145)
Vulnerability from cvelistv5
Published
2024-07-16 22:39
Modified
2025-08-26 20:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | Java SE JDK and JRE |
Version: Oracle Java SE:8u411 Version: Oracle Java SE:8u411-perf Version: Oracle Java SE:11.0.23 Version: Oracle Java SE:17.0.11 Version: Oracle Java SE:21.0.3 Version: Oracle Java SE:22.0.1 Version: Oracle GraalVM for JDK:17.0.11 Version: Oracle GraalVM for JDK:21.0.3 Version: Oracle GraalVM for JDK:22.0.1 Version: Oracle GraalVM Enterprise Edition:20.3.14 Version: Oracle GraalVM Enterprise Edition:21.3.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T13:58:12.588215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T20:05:30.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:13:42.684Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Java SE JDK and JRE",
"vendor": "Oracle Corporation",
"versions": [
{
"status": "affected",
"version": "Oracle Java SE:8u411"
},
{
"status": "affected",
"version": "Oracle Java SE:8u411-perf"
},
{
"status": "affected",
"version": "Oracle Java SE:11.0.23"
},
{
"status": "affected",
"version": "Oracle Java SE:17.0.11"
},
{
"status": "affected",
"version": "Oracle Java SE:21.0.3"
},
{
"status": "affected",
"version": "Oracle Java SE:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:17.0.11"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:21.0.3"
},
{
"status": "affected",
"version": "Oracle GraalVM for JDK:22.0.1"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:20.3.14"
},
{
"status": "affected",
"version": "Oracle GraalVM Enterprise Edition:21.3.10"
}
]
}
],
"descriptions": [
{
"lang": "en-US",
"value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
"lang": "en-US"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T13:06:08.196Z",
"orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"shortName": "oracle"
},
"references": [
{
"name": "Oracle Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240719-0008/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
"assignerShortName": "oracle",
"cveId": "CVE-2024-21145",
"datePublished": "2024-07-16T22:39:58.658Z",
"dateReserved": "2023-12-07T22:28:10.683Z",
"dateUpdated": "2025-08-26T20:05:30.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…