CVE-2024-20926
Published: 16 January 2024
Summary
CVE-2024-20926 is a medium-severity Improper Access Control (CWE-284) vulnerability in Oracle Jdk. Its CVSS base score is 5.9 (Medium).
Operationally, ranked at the 48.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-18640
Vulnerability details
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM…
more
Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Explicit security control assessments verify proper access control enforcement, detecting weaknesses that the flaw remediation process then eliminates.
Provides a tamperproof, always-invoked, and verifiable mechanism to enforce access control policies.
The awareness and training policy mandates training on access control practices, directly reducing the likelihood of improper access control weaknesses being introduced or exploited.
The policy defines roles, responsibilities, and management commitment for authorization and monitoring, establishing formal access controls over these security functions.
Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation.
Certification requires independent assessment confirming access controls are implemented correctly and effective.
The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.
Penetration testing simulates unauthorized access attempts, directly detecting and enabling remediation of improper access control weaknesses.