org.graalvm.sdk:graal-sdk 20.3.12 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.graalvm.sdk:graal-sdk package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Buffer Overflow org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Buffer Overflow in `hotspot/compiler` due to improper handling of buffers in `addnode.cpp`. How to fix Buffer Overflow? Upgrade `org.graalvm.sdk:graal-sdk` to version 17.0.15, 21.0.7, 24.0.1 or higher.	[,17.0.15)[18.0.0,21.0.7)[22.0.0,24.0.1)
M Heap-based Buffer Overflow org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the `Graphics.copyArea` functionality in `client-libs/2d`. An attacker can manipulate memory and potentially execute code. How to fix Heap-based Buffer Overflow? Upgrade `org.graalvm.sdk:graal-sdk` to version 17.0.15, 21.0.7, 24.0.1 or higher.	[,17.0.15)[18.0.0,21.0.7)[22.0.0,24.0.1)
C Timing Attack org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Timing Attack in `security-libs/javax.net.ssl` that exposes information from a TLS handshake via side channel. How to fix Timing Attack? Upgrade `org.graalvm.sdk:graal-sdk` to version 17.0.15, 21.0.7, 24.0.1 or higher.	[,17.0.15)[18.0.0,21.0.7)[22.0.0,24.0.1)
M Signed to Unsigned Conversion Error org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Signed to Unsigned Conversion Error through the use of multiple protocols. An attacker can compromise accessible data and perform unauthorized update, insert, or delete operations by exploiting APIs in the specified component, typically through a web service which supplies data to these APIs. Note: This is only exploitable if Java deployments load and run untrusted code from the internet and rely on the Java sandbox for security. How to fix Signed to Unsigned Conversion Error? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.17, 21.3.13 or higher.	[,20.3.17)[21.0.0,21.3.13)
M Access Control Bypass org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Access Control Bypass via the `Compiler` component. An attacker can manipulate data by exploiting unprotected APIs or services that interact with the APIs. How to fix Access Control Bypass? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.16, 21.3.12 or higher.	[,20.3.16)[21.0.0,21.3.12)
M Denial of Service (DoS) org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Denial of Service (DoS) via the `Serialization` component. An attacker can cause a partial disruption of service by exploiting network access to send crafted data to the APIs involved. How to fix Denial of Service (DoS)? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.16, 21.3.12 or higher.	[,20.3.16)[21.0.0,21.3.12)
M Denial of Service (DoS) org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Denial of Service (DoS) via the `Networking` component. An attacker can cause a partial disruption of service by exploiting network protocols to send crafted data or requests. How to fix Denial of Service (DoS)? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.16, 21.3.12 or higher.	[,20.3.16)[21.0.0,21.3.12)
M Information Exposure org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Information Exposure via the `Hotspot` component. An attacker with network access via multiple protocols can compromise the integrity and confidentiality of data by exploiting accessible APIs, particularly through web services that supply data to these APIs. Note: This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. How to fix Information Exposure? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.16, 21.3.12 or higher.	[,20.3.16)[21.0.0,21.3.12)
M Improper Access Control org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Improper Access Control via the `2D` component. An attacker can achieve unauthorized update, insert, or delete access to some accessible data as well as unauthorized read access to a subset of accessible data by exploiting the APIs through a web service which supplies data to these APIs. This is only exploitable in environments where Java applications, such as sandboxed Java Web Start applications or sandboxed Java applets, load and run untrusted code that relies on the Java sandbox for security. How to fix Improper Access Control? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.15, 21.3.11 or higher.	[20.0.0,20.3.15)[21.0.0,21.3.11)
M Resource Exhaustion org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Resource Exhaustion via multiple protocols. An attacker can cause a partial disruption of service by exploiting network access. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code. How to fix Resource Exhaustion? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.15, 21.3.11 or higher.	[,20.3.15)[21.0.0,21.3.11)
L Improper Access Control org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Improper Access Control in the `hotspot/compiler` component. An attacker can compromise data integrity. How to fix Improper Access Control? Upgrade `org.graalvm.sdk:graal-sdk` to version 21.3.10, 22.0.1 or higher.	[,21.3.10)[22.0.0,22.0.1)
L Denial of Service (DoS) org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Denial of Service (DoS) in the `hotspot/runtime` component. How to fix Denial of Service (DoS)? Upgrade `org.graalvm.sdk:graal-sdk` to version 21.3.10, 22.0.1 or higher.	[,21.3.10)[22.0.0,22.0.1)
L Access Control Bypass org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Access Control Bypass in the JavaFX media component, when running untrusted code. How to fix Access Control Bypass? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.13, 21.3.9 or higher.	[,20.3.13)[21.0.0,21.3.9)
L Information Exposure org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Information Exposure via the JavaFX component, when running untrusted code. How to fix Information Exposure? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.13, 21.3.9 or higher.	[,20.3.13)[21.0.0,21.3.9)
M Improper Input Validation org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Improper Input Validation due to a flaw in the JVM class file verifier in the `hotspot/runtime` component. An attacker can execute unverified bytecode by crafting a malicious input that bypasses the verification process. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. How to fix Improper Input Validation? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.13, 21.3.9, 23.0.0 or higher.	[,20.3.13)[21.0.0,21.3.9)[22.0.0,23.0.0)
H Improper Privilege Management org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Improper Privilege Management in the `hotspot/compiler` component. Note This is only exploitable if the attacker utilizes APIs in the specified component, such as through a web service that provides data to the APIs. Additionally, the vulnerability affects Java deployments that execute untrusted code, relying on the Java sandbox for security. How to fix Improper Privilege Management? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.13, 21.3.9, 22.3.5 or higher.	[,20.3.13)[21.0.0,21.3.9)[22.0.0,22.3.5)
M Insertion of Sensitive Information into Log File org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the `security-libs/javax.xml.crypto` component. An attacker with local access could access private keys. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). How to fix Insertion of Sensitive Information into Log File? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.13, 21.3.9, 23.0.0 or higher.	[,20.3.13)[21.0.0,21.3.9)[22.0.0,23.0.0)
M Improper Input Validation org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Improper Input Validation due to a range check loop optimization issue in the `hotspot/compiler` component. An attacker can obtain sensitive information without authorization by exploiting the improper input validation. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. How to fix Improper Input Validation? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.13, 21.3.9, 23.0.0 or higher.	[,20.3.13)[21.0.0,21.3.9)[22.0.0,23.0.0)
M Information Exposure org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Information Exposure in the `core-libs/javax.script` component. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). How to fix Information Exposure? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.13, 21.3.9, 22.3.5 or higher.	[,20.3.13)[21.0.0,21.3.9)[22.0.0,22.3.5)
H Improper Privilege Management org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Improper Privilege Management in the `security-libs/java.security` component. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). How to fix Improper Privilege Management? Upgrade `org.graalvm.sdk:graal-sdk` to version 21.3.9, 22.3.5 or higher.	[,21.3.9)[22.0.0,22.3.5)
H Covert Timing Channel org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Covert Timing Channel in the `security-libs/java.security` component. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). How to fix Covert Timing Channel? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.13, 21.3.9, 23.0.0 or higher.	[,20.3.13)[21.0.0,21.3.9)[22.0.0,23.0.0)
L Improper Privilege Management org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Improper Privilege Management via the `JavaFX` component. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). How to fix Improper Privilege Management? Upgrade `org.graalvm.sdk:graal-sdk` to version 20.3.13, 21.3.9 or higher.	[,20.3.13)[21.0.0,21.3.9)
M Denial of Service (DoS) org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are vulnerable to Denial of Service (DoS) in `security-libs/javax.net.ssl`, when running untrusted code. How to fix Denial of Service (DoS)? Upgrade `org.graalvm.sdk:graal-sdk` to version 21.1.0 or higher.	[17.0.0,21.1.0)

Vulnerability

Vulnerable Version

Buffer Overflow

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Buffer Overflow in hotspot/compiler due to improper handling of buffers in addnode.cpp.

How to fix Buffer Overflow?

Upgrade org.graalvm.sdk:graal-sdk to version 17.0.15, 21.0.7, 24.0.1 or higher.

[,17.0.15)[18.0.0,21.0.7)[22.0.0,24.0.1)

Heap-based Buffer Overflow

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the Graphics.copyArea functionality in client-libs/2d. An attacker can manipulate memory and potentially execute code.

How to fix Heap-based Buffer Overflow?

Upgrade org.graalvm.sdk:graal-sdk to version 17.0.15, 21.0.7, 24.0.1 or higher.

[,17.0.15)[18.0.0,21.0.7)[22.0.0,24.0.1)

Timing Attack

Affected versions of this package are vulnerable to Timing Attack in security-libs/javax.net.ssl that exposes information from a TLS handshake via side channel.

How to fix Timing Attack?

Upgrade org.graalvm.sdk:graal-sdk to version 17.0.15, 21.0.7, 24.0.1 or higher.

[,17.0.15)[18.0.0,21.0.7)[22.0.0,24.0.1)

Signed to Unsigned Conversion Error

Affected versions of this package are vulnerable to Signed to Unsigned Conversion Error through the use of multiple protocols. An attacker can compromise accessible data and perform unauthorized update, insert, or delete operations by exploiting APIs in the specified component, typically through a web service which supplies data to these APIs.

Note:

This is only exploitable if Java deployments load and run untrusted code from the internet and rely on the Java sandbox for security.

How to fix Signed to Unsigned Conversion Error?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.17, 21.3.13 or higher.

[,20.3.17)[21.0.0,21.3.13)

Access Control Bypass

Affected versions of this package are vulnerable to Access Control Bypass via the Compiler component. An attacker can manipulate data by exploiting unprotected APIs or services that interact with the APIs.

How to fix Access Control Bypass?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.16, 21.3.12 or higher.

[,20.3.16)[21.0.0,21.3.12)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Serialization component. An attacker can cause a partial disruption of service by exploiting network access to send crafted data to the APIs involved.

How to fix Denial of Service (DoS)?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.16, 21.3.12 or higher.

[,20.3.16)[21.0.0,21.3.12)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Networking component. An attacker can cause a partial disruption of service by exploiting network protocols to send crafted data or requests.

How to fix Denial of Service (DoS)?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.16, 21.3.12 or higher.

[,20.3.16)[21.0.0,21.3.12)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure via the Hotspot component. An attacker with network access via multiple protocols can compromise the integrity and confidentiality of data by exploiting accessible APIs, particularly through web services that supply data to these APIs.

Note:

This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

How to fix Information Exposure?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.16, 21.3.12 or higher.

[,20.3.16)[21.0.0,21.3.12)

Improper Access Control

Affected versions of this package are vulnerable to Improper Access Control via the 2D component. An attacker can achieve unauthorized update, insert, or delete access to some accessible data as well as unauthorized read access to a subset of accessible data by exploiting the APIs through a web service which supplies data to these APIs. This is only exploitable in environments where Java applications, such as sandboxed Java Web Start applications or sandboxed Java applets, load and run untrusted code that relies on the Java sandbox for security.

How to fix Improper Access Control?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.15, 21.3.11 or higher.

[20.0.0,20.3.15)[21.0.0,21.3.11)

Resource Exhaustion

Affected versions of this package are vulnerable to Resource Exhaustion via multiple protocols. An attacker can cause a partial disruption of service by exploiting network access.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code.

How to fix Resource Exhaustion?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.15, 21.3.11 or higher.

[,20.3.15)[21.0.0,21.3.11)

Improper Access Control

Affected versions of this package are vulnerable to Improper Access Control in the hotspot/compiler component. An attacker can compromise data integrity.

How to fix Improper Access Control?

Upgrade org.graalvm.sdk:graal-sdk to version 21.3.10, 22.0.1 or higher.

[,21.3.10)[22.0.0,22.0.1)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) in the hotspot/runtime component.

How to fix Denial of Service (DoS)?

Upgrade org.graalvm.sdk:graal-sdk to version 21.3.10, 22.0.1 or higher.

[,21.3.10)[22.0.0,22.0.1)

Access Control Bypass

Affected versions of this package are vulnerable to Access Control Bypass in the JavaFX media component, when running untrusted code.

How to fix Access Control Bypass?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9 or higher.

[,20.3.13)[21.0.0,21.3.9)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure via the JavaFX component, when running untrusted code.

How to fix Information Exposure?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9 or higher.

[,20.3.13)[21.0.0,21.3.9)

Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation due to a flaw in the JVM class file verifier in the hotspot/runtime component. An attacker can execute unverified bytecode by crafting a malicious input that bypasses the verification process.

Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

How to fix Improper Input Validation?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 23.0.0 or higher.

[,20.3.13)[21.0.0,21.3.9)[22.0.0,23.0.0)

Improper Privilege Management

Affected versions of this package are vulnerable to Improper Privilege Management in the hotspot/compiler component.

Note This is only exploitable if the attacker utilizes APIs in the specified component, such as through a web service that provides data to the APIs. Additionally, the vulnerability affects Java deployments that execute untrusted code, relying on the Java sandbox for security.

How to fix Improper Privilege Management?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 22.3.5 or higher.

[,20.3.13)[21.0.0,21.3.9)[22.0.0,22.3.5)

Insertion of Sensitive Information into Log File

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the security-libs/javax.xml.crypto component. An attacker with local access could access private keys.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

How to fix Insertion of Sensitive Information into Log File?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 23.0.0 or higher.

[,20.3.13)[21.0.0,21.3.9)[22.0.0,23.0.0)

Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation due to a range check loop optimization issue in the hotspot/compiler component. An attacker can obtain sensitive information without authorization by exploiting the improper input validation.

Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

How to fix Improper Input Validation?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 23.0.0 or higher.

[,20.3.13)[21.0.0,21.3.9)[22.0.0,23.0.0)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure in the core-libs/javax.script component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

How to fix Information Exposure?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 22.3.5 or higher.

[,20.3.13)[21.0.0,21.3.9)[22.0.0,22.3.5)

Improper Privilege Management

Affected versions of this package are vulnerable to Improper Privilege Management in the security-libs/java.security component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

How to fix Improper Privilege Management?

Upgrade org.graalvm.sdk:graal-sdk to version 21.3.9, 22.3.5 or higher.

[,21.3.9)[22.0.0,22.3.5)

Covert Timing Channel

Affected versions of this package are vulnerable to Covert Timing Channel in the security-libs/java.security component. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

How to fix Covert Timing Channel?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 23.0.0 or higher.

[,20.3.13)[21.0.0,21.3.9)[22.0.0,23.0.0)

Improper Privilege Management

Affected versions of this package are vulnerable to Improper Privilege Management via the JavaFX component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

How to fix Improper Privilege Management?

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9 or higher.

[,20.3.13)[21.0.0,21.3.9)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) in security-libs/javax.net.ssl, when running untrusted code.

How to fix Denial of Service (DoS)?

Upgrade org.graalvm.sdk:graal-sdk to version 21.1.0 or higher.

[17.0.0,21.1.0)

org.graalvm.sdk:graal-sdk@20.3.12 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?