Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00156.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Oracle
  • Graalvm
  • Graalvm For Jdk
  • Jdk
  • Jre
Redhat
  • Enterprise Linux
  • Openjdk
  • Rhel Aus
  • Rhel E4s
  • Rhel Eus
  • Rhel Tus

Configuration 1 [-]

OR cpe:2.3:a:oracle:graalvm:20.3.12:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:21.3.8:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:22.3.4:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update391:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update391:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jdk:11.0.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:17.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:21.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update391:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update391:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jre:11.0.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:17.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:21.0.1:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Build of OpenJDK 11.0.22
Linux cpe:/a:redhat:openjdk:11 RHSA-2024:0231 2024-01-17T00:00:00Z
Windows cpe:/a:redhat:openjdk:11::windows RHSA-2024:0239 2024-01-17T00:00:00Z
Red Hat Build of OpenJDK 17.0.10
Linux cpe:/a:redhat:openjdk:17 RHSA-2024:0240 2024-01-17T00:00:00Z
Windows cpe:/a:redhat:openjdk:17::windows RHSA-2024:0246 2024-01-17T00:00:00Z
Red Hat Build of OpenJDK 21.0.2
Linux cpe:/a:redhat:openjdk:21 RHSA-2024:0247 2024-01-17T00:00:00Z
Windows cpe:/a:redhat:openjdk:21::windows RHSA-2024:0250 2024-01-17T00:00:00Z
Red Hat Build of OpenJDK 8u402
Linux cpe:/a:redhat:openjdk:1.8 RHSA-2024:0222 2024-01-17T00:00:00Z
Windows cpe:/a:redhat:openjdk:1.8::windows RHSA-2024:0230 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 7
java-1.8.0-openjdk-1:1.8.0.402.b06-1.el7_9 cpe:/o:redhat:enterprise_linux:7 RHSA-2024:0223 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-1.el7_9 cpe:/o:redhat:enterprise_linux:7 RHSA-2024:0232 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 8
java-21-openjdk-1:21.0.2.0.13-1.el8 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:0248 2024-01-17T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.402.b06-2.el8 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:0265 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-2.el8 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:0266 2024-01-18T00:00:00Z
java-17-openjdk-1:17.0.10.0.7-2.el8 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:0267 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
java-1.8.0-openjdk-1:1.8.0.402.b06-1.el8_2 cpe:/a:redhat:rhel_aus:8.2 RHSA-2024:0224 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-1.el8_2 cpe:/a:redhat:rhel_aus:8.2 RHSA-2024:0233 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 8.2 Telecommunications Update Service
java-1.8.0-openjdk-1:1.8.0.402.b06-1.el8_2 cpe:/a:redhat:rhel_tus:8.2 RHSA-2024:0224 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-1.el8_2 cpe:/a:redhat:rhel_tus:8.2 RHSA-2024:0233 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
java-1.8.0-openjdk-1:1.8.0.402.b06-1.el8_2 cpe:/a:redhat:rhel_e4s:8.2 RHSA-2024:0224 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-1.el8_2 cpe:/a:redhat:rhel_e4s:8.2 RHSA-2024:0233 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
java-1.8.0-openjdk-1:1.8.0.402.b06-1.el8_4 cpe:/a:redhat:rhel_aus:8.4 RHSA-2024:0225 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-1.el8_4 cpe:/a:redhat:rhel_aus:8.4 RHSA-2024:0234 2024-01-17T00:00:00Z
java-17-openjdk-1:17.0.10.0.7-1.el8_4 cpe:/a:redhat:rhel_aus:8.4 RHSA-2024:0241 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
java-1.8.0-openjdk-1:1.8.0.402.b06-1.el8_4 cpe:/a:redhat:rhel_tus:8.4 RHSA-2024:0225 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-1.el8_4 cpe:/a:redhat:rhel_tus:8.4 RHSA-2024:0234 2024-01-17T00:00:00Z
java-17-openjdk-1:17.0.10.0.7-1.el8_4 cpe:/a:redhat:rhel_tus:8.4 RHSA-2024:0241 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
java-1.8.0-openjdk-1:1.8.0.402.b06-1.el8_4 cpe:/a:redhat:rhel_e4s:8.4 RHSA-2024:0225 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-1.el8_4 cpe:/a:redhat:rhel_e4s:8.4 RHSA-2024:0234 2024-01-17T00:00:00Z
java-17-openjdk-1:17.0.10.0.7-1.el8_4 cpe:/a:redhat:rhel_e4s:8.4 RHSA-2024:0241 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
java-1.8.0-openjdk-1:1.8.0.402.b06-1.el8_6 cpe:/a:redhat:rhel_eus:8.6 RHSA-2024:0226 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-1.el8_6 cpe:/a:redhat:rhel_eus:8.6 RHSA-2024:0235 2024-01-17T00:00:00Z
java-17-openjdk-1:17.0.10.0.7-1.el8_6 cpe:/a:redhat:rhel_eus:8.6 RHSA-2024:0242 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
java-1.8.0-openjdk-1:1.8.0.402.b06-2.el8 cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:0265 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-2.el8 cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:0266 2024-01-18T00:00:00Z
java-17-openjdk-1:17.0.10.0.7-2.el8 cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:0267 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 9
java-21-openjdk-1:21.0.2.0.13-1.el9 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:0249 2024-01-17T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.402.b06-2.el9 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:0265 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-2.el9 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:0266 2024-01-18T00:00:00Z
java-17-openjdk-1:17.0.10.0.7-2.el9 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:0267 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
java-1.8.0-openjdk-1:1.8.0.402.b06-1.el9_0 cpe:/a:redhat:rhel_eus:9.0 RHSA-2024:0228 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-1.el9_0 cpe:/a:redhat:rhel_eus:9.0 RHSA-2024:0237 2024-01-17T00:00:00Z
java-17-openjdk-1:17.0.10.0.7-1.el9_0 cpe:/a:redhat:rhel_eus:9.0 RHSA-2024:0244 2024-01-17T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
java-1.8.0-openjdk-1:1.8.0.402.b06-2.el9 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:0265 2024-01-17T00:00:00Z
java-11-openjdk-1:11.0.22.0.7-2.el9 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:0266 2024-01-18T00:00:00Z
java-17-openjdk-1:17.0.10.0.7-2.el9 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:0267 2024-01-17T00:00:00Z

No data.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-3728-1 openjdk-11 security update
Debian DSA Debian DSA DSA-5604-1 openjdk-11 security update
Debian DSA Debian DSA DSA-5613-1 openjdk-17 security update
EUVD EUVD EUVD-2024-18634 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
Ubuntu USN Ubuntu USN USN-6660-1 OpenJDK 11 vulnerabilities
Ubuntu USN Ubuntu USN USN-6661-1 OpenJDK 17 vulnerabilities
Ubuntu USN Ubuntu USN USN-6662-1 OpenJDK 21 vulnerabilities
Ubuntu USN Ubuntu USN USN-6696-1 OpenJDK 8 vulnerabilities
Ubuntu USN Ubuntu USN USN-7096-1 OpenJDK 8 vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://nvd.nist.gov/vuln/detail/CVE-2024-20919 cve-icon
https://security.netapp.com/advisory/ntap-20240201-0002/ cve-icon
https://security.netapp.com/advisory/ntap-20241108-0002/ cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-20919 cve-icon
https://www.oracle.com/security-alerts/cpujan2024.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2024.html#AppendixJAVA cve-icon
History

Tue, 04 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 09 Dec 2024 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle jdk
Oracle jre
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:graalvm:20.3.12:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:21.3.8:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm:22.3.4:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update391:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update391:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jdk:11.0.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:17.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:21.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update391:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update391:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jre:11.0.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:17.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:21.0.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle jdk
Oracle jre

Fri, 01 Nov 2024 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2025-11-04T18:22:39.068Z

Reserved: 2023-12-07T22:28:10.619Z

Link: CVE-2024-20919

cve-icon Vulnrichment

Updated: 2025-11-03T21:52:36.422Z

cve-icon NVD

Status : Modified

Published: 2024-02-17T02:15:46.770

Modified: 2025-11-04T19:16:28.170

Link: CVE-2024-20919

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-01-16T20:00:00Z

Links: CVE-2024-20919 - Bugzilla

cve-icon OpenCVE Enrichment

No data.