CVE-2024-20922 in Java SEinfo

Summary

by MITRE • 01/17/2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 08/25/2025

This vulnerability exists within the Oracle Java SE and Oracle GraalVM Enterprise Edition platforms, specifically affecting the JavaFX component. The flaw is categorized as a low-severity integrity impact vulnerability with a CVSS base score of 2.5, indicating that while it is difficult to exploit, it can result in unauthorized modification of data within the affected systems. The vulnerability impacts Java SE versions 8u391 and GraalVM Enterprise Edition versions 20.3.12 and 21.3.8, representing a significant concern for organizations running these specific software versions.

The technical nature of this vulnerability stems from the way JavaFX handles certain operations within sandboxed environments. Attackers can exploit this weakness by leveraging an unauthenticated access to the infrastructure where Oracle Java SE or GraalVM Enterprise Edition is executing. The attack requires a specific combination of conditions including human interaction from someone other than the attacker, which suggests that social engineering or user manipulation may be necessary to achieve successful exploitation. The vulnerability specifically targets environments that load and execute untrusted code from external sources, particularly those running sandboxed Java Web Start applications or applets.

The operational impact of this vulnerability is significant for organizations that deploy Java applications in client environments where users may encounter untrusted code. While the vulnerability does not affect server deployments that run only trusted code, it poses a risk to client-side applications that rely on Java sandboxing for security. Successful exploitation could allow attackers to perform unauthorized update, insert, or delete operations on data accessible through the affected Java applications. This integrity compromise could lead to data corruption, unauthorized modifications, or potential information leakage from systems running vulnerable Java versions.

Organizations should prioritize patching their systems with the latest Oracle security updates to address this vulnerability. The recommended mitigation strategies include updating to supported versions of Oracle Java SE and GraalVM Enterprise Edition, implementing network segmentation to limit access to vulnerable systems, and monitoring for suspicious activities related to Java application execution. Security teams should also review their Java deployment practices to ensure that only trusted code is executed in sandboxed environments and consider implementing additional security controls such as application whitelisting. This vulnerability aligns with CWE-284 (Improper Access Control) and may be categorized under ATT&CK techniques related to privilege escalation and persistence through compromised client applications. The low attack complexity score suggests that while it requires specific conditions, the vulnerability can be exploited by attackers with basic knowledge of Java security mechanisms.

Responsible

Oracle

Reservation

12/07/2023

Disclosure

01/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00303

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!