Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.4
CVSSv3

CVE-2024-20918

Published: 16/01/2024 Updated: 15/02/2024
CVSS v3 Base Score: 7.4 | Impact Score: 5.2 | Exploitability Score: 2.2
VMScore: 0
Subscribe to Oracle

Vulnerability Summary

A vulnerability that allows an malicious user to execute arbitrary java code from the javascript engine even though the option "--no-java" was set. (CVE-2024-20918) With carefully crafted custom bytecodes, arbitrary unverified bytecodes could be executed. (CVE-2024-20919) Loop optimizations are not correct when induction variable overflows (CVE-2024-20921) Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2024-20926) Crypto key may be leaked via debug logging in some cases (CVE-2024-20945) Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). (CVE-2024-20952)

Vulnerable Product Search on Vulmon Subscribe to Product

oracle graalvm 21.3.8

oracle graalvm 22.3.4

oracle graalvm 20.3.12

oracle jdk 17.0.9

oracle jdk 21.0.1

oracle jdk 11.0.21

oracle jre 17.0.9

oracle jre 21.0.1

oracle jre 11.0.21

oracle jre 1.8.0

oracle jdk 1.8.0

oracle graalvm for jdk 17.0.9

oracle graalvm for jdk 21.0.1

debian debian linux 10.0

netapp oncommand insight -

netapp cloud insights acquisition unit -

netapp cloud insights storage workload security agent -

Vendor Advisories

Red Hat:
Description<!---->This CVE is under investigation by Red Hat Product Security ...
Red Hat: Important: Red Hat build of Cryostat security update
Synopsis Important: Red Hat build of Cryostat security update Type/Severity Security Advisory: Important Topic An update is now available for the Red Hat build of Cryostat 2 on RHEL 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a ...
Red Hat: Important: java-21-openjdk security update
Synopsis Important: java-21-openjdk security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-21-openjdk is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this upd ...
Red Hat: Important: java-11-openjdk security update
Synopsis Important: java-11-openjdk security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-11-openjdk is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat Product S ...
Red Hat: Important: Updated RHEL-7-based Middleware container images
概述 Important: Updated RHEL-7-based Middleware container images 类型/严重性 Security Advisory: Important 标题 Updated RHEL-7-based Middleware container images are now availableRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives ...
Red Hat: Important: java-11-openjdk security update
Synopsis Important: java-11-openjdk security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this upd ...
Red Hat: Important: java-1.8.0-openjdk security and bug fix update
Synopsis Important: java-180-openjdk security and bug fix update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-180-openjdk is now available for Red Hat Enterprise Linux 7Red Hat Product Security ...
Red Hat: Important: OpenJDK 21.0.2 security update
Synopsis Important: OpenJDK 2102 security update Type/Severity Security Advisory: Important Topic An update is now available for OpenJDKRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for ea ...
Red Hat: Important: java-11-openjdk security update
Synopsis Important: java-11-openjdk security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-11-openjdk is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat Product S ...
Red Hat: Important: java-1.8.0-openjdk security update
Synopsis Important: java-180-openjdk security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-180-openjdk is now available for Red Hat Enterprise Linux 90 Extended Update SupportRed Hat Pro ...
Red Hat: Important: OpenJDK 17.0.10 security update
Synopsis Important: OpenJDK 17010 security update Type / Sévérité Security Advisory: Important Sujet An update is now available for OpenJDKRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available ...
Red Hat: Important: OpenJDK 17.0.10 security update
Synopsis Important: OpenJDK 17010 security update Type / Sévérité Security Advisory: Important Sujet An update is now available for OpenJDKRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available ...
Red Hat: Important: OpenJDK 11.0.22 security update
Synopsis Important: OpenJDK 11022 security update Type/Severity Security Advisory: Important Topic An update is now available for OpenJDKRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for e ...
Red Hat: Important: OpenJDK 11.0.22 security update
Synopsis Important: OpenJDK 11022 security update Type/Severity Security Advisory: Important Topic An update is now available for OpenJDKRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for e ...
Red Hat: Important: OpenJDK 8u402 security update
概述 Important: OpenJDK 8u402 security update 类型/严重性 Security Advisory: Important 标题 An update is now available for OpenJDKRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for e ...
Red Hat: Important: java-11-openjdk security update
Synopsis Important: java-11-openjdk security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-11-openjdk is now available for Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 88 Extended Upda ...
Red Hat: Moderate: Migration Toolkit for Runtimes security, bug fix and enhancement update
Synopsis Moderate: Migration Toolkit for Runtimes security, bug fix and enhancement update Type/Severity Security Advisory: Moderate Topic Migration Toolkit for Runtimes 124 releaseRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, which gives a de ...
Red Hat: Important: java-21-openjdk security update
Synopsis Important: java-21-openjdk security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-21-openjdk is now available for Red Hat Enterprise Linux 9Red Hat Product Security has rated this upd ...
Red Hat: Important: java-1.8.0-openjdk security and bug fix update
Synopsis Important: java-180-openjdk security and bug fix update Type / Sévérité Security Advisory: Important Analyse des correctifs dans Red Hat Insights Identifiez et remédiez aux systèmes concernés par cette alerte Voir les systèmes concernés Sujet An update for java-180-openjdk is now available for Red Hat Enterpris ...
Red Hat: Important: java-17-openjdk security and bug fix update
Synopsis Important: java-17-openjdk security and bug fix update Type / Sévérité Security Advisory: Important Analyse des correctifs dans Red Hat Insights Identifiez et remédiez aux systèmes concernés par cette alerte Voir les systèmes concernés Sujet An update for java-17-openjdk is now available for Red Hat Enterprise Linu ...
Red Hat: Important: java-11-openjdk security update
Synopsis Important: java-11-openjdk security update Type / Sévérité Security Advisory: Important Analyse des correctifs dans Red Hat Insights Identifiez et remédiez aux systèmes concernés par cette alerte Voir les systèmes concernés Sujet An update for java-11-openjdk is now available for Red Hat Enterprise Linux 84 Advanc ...
Red Hat: Important: java-17-openjdk security and bug fix update
Synopsis Important: java-17-openjdk security and bug fix update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-17-openjdk is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed H ...
Red Hat: Important: java-11-openjdk security update
Synopsis Important: java-11-openjdk security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-11-openjdk is now available for Red Hat Enterprise Linux 82 Advanced Update Support, Red Hat Enterpri ...
Red Hat: Important: java-1.8.0-openjdk security and bug fix update
概述 Important: java-180-openjdk security and bug fix update 类型/严重性 Security Advisory: Important Red Hat Insights 补丁分析 识别并修复受此公告影响的系统。 查看受影响的系统 标题 An update for java-180-openjdk is now available for Red Hat Enterprise Linux 86 Extended Update SupportRed Hat ...
Red Hat: Important: java-1.8.0-openjdk security and bug fix update
Synopsis Important: java-180-openjdk security and bug fix update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for java-180-openjdk is now available for Red Hat Enterprise Linux 82 Advanced Update Support ...
Amazon Linux 2: ALASCORRETTO8-2024-009
A vulnerability that allows an attacker to execute arbitrary java code from the javascript engine even though the option "--no-java" was set (CVE-2024-20918) With carefully crafted custom bytecodes, arbitrary unverified bytecodes could be executed (CVE-2024-20919) Loop optimizations are not correct when induction variable overflows (CVE-2024-2092 ...
Amazon Linux 2: ALAS-2024-2415
A vulnerability that allows an attacker to execute arbitrary java code from the javascript engine even though the option "--no-java" was set (CVE-2024-20918) With carefully crafted custom bytecodes, arbitrary unverified bytecodes could be executed (CVE-2024-20919) Loop optimizations are not correct when induction variable overflows (CVE-2024-2092 ...
Amazon Linux 2: ALASCORRETTO8-2024-010
A vulnerability that allows an attacker to execute arbitrary java code from the javascript engine even though the option "--no-java" was set (CVE-2024-20918) With carefully crafted custom bytecodes, arbitrary unverified bytecodes could be executed (CVE-2024-20919) Loop optimizations are not correct when induction variable overflows (CVE-2024-2092 ...
Amazon Linux 2: ALAS-2024-2438
A vulnerability that allows an attacker to execute arbitrary java code from the javascript engine even though the option "--no-java" was set (CVE-2024-20918) With carefully crafted custom bytecodes, arbitrary unverified bytecodes could be executed (CVE-2024-20919) Loop optimizations are not correct when induction variable overflows (CVE-2024-2092 ...
Amazon Linux 2: ALASJAVA-OPENJDK11-2024-007
A vulnerability that allows an attacker to execute arbitrary java code from the javascript engine even though the option "--no-java" was set (CVE-2024-20918) With carefully crafted custom bytecodes, arbitrary unverified bytecodes could be executed (CVE-2024-20919) Loop optimizations are not correct when induction variable overflows (CVE-2024-2092 ...
Amazon Linux 2: ALAS-2024-2414
A vulnerability that allows an attacker to execute arbitrary java code from the javascript engine even though the option "--no-java" was set (CVE-2024-20918) With carefully crafted custom bytecodes, arbitrary unverified bytecodes could be executed (CVE-2024-20919) Loop optimizations are not correct when induction variable overflows (CVE-2024-2092 ...
Hitachi Security Advisories: Multiple Vulnerabilities in Cosminexus
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java contain the following vulnerabilities: CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926, CVE-2024-20932, CVE-2024-20945, CVE-2024-20952 Affected products and versions are listed below Please upgrade your version to the appropriate version These vulnera ...
Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center
Multiple vulnerabilities have been found in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20922, CVE-2024-20923, CVE-2024-20925, CVE-2024-20926, CVE-2024-20932, CVE-2024-20945, CVE-2024-209 ...

References

NVD-CWE-noinfohttps://www.oracle.com/security-alerts/cpujan2024.htmlhttps://lists.debian.org/debian-lts-announce/2024/01/msg00023.htmlhttps://security.netapp.com/advisory/ntap-20240201-0002/https://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2024:0530https://access.redhat.com/security/cve/cve-2024-20918https://alas.aws.amazon.com/AL2/ALASCORRETTO8-2024-009.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionCVE-2006-4304CVE-2023-26603CVE-2024-28327CVE-2023-50363CVE-2024-21905template injectionCVE-2024-3400cross-site request forgery
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook