CVE-2024-20955
First published: Tue Jan 16 2024(Updated: )
Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle GraalVM Enterprise Edition | =20.3.12 | |
| Oracle GraalVM Enterprise Edition | =21.3.8 | |
| Oracle GraalVM Enterprise Edition | =22.3.4 | |
| Oracle GraalVM for JDK | =17.0.9 | |
| Oracle GraalVM for JDK | =21.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-20955?
CVE-2024-20955 has a medium severity level due to its difficult exploitability.
How do I fix CVE-2024-20955?
To fix CVE-2024-20955, update Oracle GraalVM for JDK or Oracle GraalVM Enterprise Edition to the latest patched version.
Which versions of Oracle GraalVM are affected by CVE-2024-20955?
Affected versions include Oracle GraalVM for JDK 17.0.9, 21.0.1 and Oracle GraalVM Enterprise Edition 20.3.12, 21.3.8, 22.3.4.
Is CVE-2024-20955 easy to exploit?
CVE-2024-20955 is considered difficult to exploit, which impacts its overall risk assessment.
Are there specific configurations that are more vulnerable to CVE-2024-20955?
There are no specific configurations stated for CVE-2024-20955, but generally, all affected versions should be updated regardless of configuration.
- agent/references
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/event
- agent/remedy
- agent/description
- agent/softwarecombine
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/oracle graalvm enterprise edition
- version/oracle graalvm enterprise edition/20.3.12
- version/oracle graalvm enterprise edition/21.3.8
- version/oracle graalvm enterprise edition/22.3.4
- canonical/oracle graalvm for jdk
- version/oracle graalvm for jdk/17.0.9
- version/oracle graalvm for jdk/21.0.1