Cyber Resilience

CVE-2024-20926

MediumRCE

Published: 16 January 2024

Published
16 January 2024
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0025 48.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20926 is a medium-severity Improper Access Control (CWE-284) vulnerability in Oracle Jdk. Its CVSS base score is 5.9 (Medium).

Operationally, ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM…

more

Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
graalvm
20.3.12, 21.3.8, 22.3.4
oracle
graalvm for jdk
17.0.9, 21.0.1
oracle
jdk
1.8.0, 11.0.21, 17.0.9, 21.0.1
oracle
jre
1.8.0, 11.0.21, 17.0.9, 21.0.1
netapp
cloud insights acquisition unit
all versions
netapp
cloud insights storage workload security agent
all versions
netapp
oncommand insight
all versions
debian
debian linux
10.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Explicit security control assessments verify proper access control enforcement, detecting weaknesses that the flaw remediation process then eliminates.

addresses: CWE-284 CWE-693

Provides a tamperproof, always-invoked, and verifiable mechanism to enforce access control policies.

addresses: CWE-284 CWE-693

The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited.

addresses: CWE-284 CWE-693

The policy defines roles, responsibilities, and management commitment for authorization and monitoring, establishing formal access controls over these security functions.

addresses: CWE-284 CWE-693

Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation.

addresses: CWE-284 CWE-693

Certification requires independent assessment confirming access controls are implemented correctly and effective.

addresses: CWE-693 CWE-284

The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.

addresses: CWE-284 CWE-502

Penetration testing simulates unauthorized access attempts, directly detecting and enabling remediation of improper access control weaknesses.

References