CVE-2024-20954

CVE-2024-20954

Name

CVE-2024-20954

Description

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
vendor-advisory	https://www.oracle.com/security-alerts/cpuapr2024.html

Type

URI

vendor-advisory

https://www.oracle.com/security-alerts/cpuapr2024.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:::::::*`	graalvm-for-jdk	== Oracle GraalVM for JDK:17.0.10	== Oracle GraalVM for JDK:17.0.10
`cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:::::::*`	graalvm-for-jdk	== Oracle GraalVM for JDK:21.0.2	== Oracle GraalVM for JDK:21.0.2
`cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:::::::*`	graalvm-for-jdk	== Oracle GraalVM for JDK:22	== Oracle GraalVM for JDK:22
`cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:::::::*`	graalvm-for-jdk	== Oracle GraalVM Enterprise Edition:20.3.13	== Oracle GraalVM Enterprise Edition:20.3.13
`cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:::::::*`	graalvm-for-jdk	== Oracle GraalVM Enterprise Edition:21.3.9	== Oracle GraalVM Enterprise Edition:21.3.9
`cpe:2.3:a:oracle:graalvm:20.3.13::::enterprise:::`	graalvm	== None	== 20.3.13
`cpe:2.3:a:oracle:graalvm:21.3.9::::enterprise:::`	graalvm	== None	== 21.3.9
`cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:::::::*`	graalvm_for_jdk	== None	== 17.0.10
`cpe:2.3:a:oracle:graalvm_for_jdk:21.0.2:::::::*`	graalvm_for_jdk	== None	== 21.0.2
`cpe:2.3:a:oracle:graalvm_for_jdk:22:::::::*`	graalvm_for_jdk	== None	== 22

CPE URI

Source package

Min version

Max version

cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:*:*:*:*:*:*:*

graalvm-for-jdk

== Oracle GraalVM for JDK:17.0.10

cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:*:*:*:*:*:*:*

graalvm-for-jdk

== Oracle GraalVM for JDK:21.0.2

cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:*:*:*:*:*:*:*

graalvm-for-jdk

== Oracle GraalVM for JDK:22

cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:*:*:*:*:*:*:*

graalvm-for-jdk

== Oracle GraalVM Enterprise Edition:20.3.13

cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:*:*:*:*:*:*:*

graalvm-for-jdk

== Oracle GraalVM Enterprise Edition:21.3.9

cpe:2.3:a:oracle:graalvm:20.3.13:*:*:*:enterprise:*:*:*

graalvm

== None

== 20.3.13

cpe:2.3:a:oracle:graalvm:21.3.9:*:*:*:enterprise:*:*:*

graalvm

== None

== 21.3.9

cpe:2.3:a:oracle:graalvm_for_jdk:17.0.10:*:*:*:*:*:*:*

graalvm_for_jdk

== None

== 17.0.10

cpe:2.3:a:oracle:graalvm_for_jdk:21.0.2:*:*:*:*:*:*:*

graalvm_for_jdk

== None

== 21.0.2

cpe:2.3:a:oracle:graalvm_for_jdk:22:*:*:*:*:*:*:*

graalvm_for_jdk

== None

== 22

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
openjdk17	3.19-community	17.0.11_p9-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed
openjdk21	3.19-community	21.0.3_p9-r0	Simon Frankenberger <simon-alpine@fraho.eu>	fixed

Source package

Branch

Version

Maintainer

Status

openjdk17

3.19-community

17.0.11_p9-r0

Simon Frankenberger <simon-alpine@fraho.eu>

fixed

openjdk21

3.19-community

21.0.3_p9-r0

Simon Frankenberger <simon-alpine@fraho.eu>

fixed

References

Match rules

Vulnerable and fixed packages