A vulnerability classified as critical has been found in Oracle GraalVM Enterprise Edition 19.3.1/20.0.0. Affected is an unknown code block of the component GraalVM Compiler. This is going to have an impact on integrity. CVE summarizes:

Vulnerability in the Oracle GraalVM Enterprise Edition product of Oracle GraalVM (component: GraalVM Compiler). Supported versions that are affected are 19.3.1 and 20.0.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle GraalVM Enterprise Edition accessible data. CVSS 3.0 Base Score 6.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N).

The weakness was disclosed 04/15/2020 as Oracle Critical Patch Update Advisory - April 2020 as confirmed advisory (Website). The advisory is available at oracle.com. This vulnerability is traded as CVE-2020-2799. The exploitability is told to be difficult. It is possible to launch the attack remotely. The requirement for exploitation is a authentication. The technical details are unknown and an exploit is not available.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The entries 153686, 153290, 153291 and 153293 are pretty similar.

Productinfo

Vendor

• Oracle

Name

• GraalVM Enterprise Edition

Version

• 19.3.1
• 20.0.0

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion