org.graalvm.sdk:graal-sdk@20.3.9 vulnerabilities

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the Graphics.copyArea functionality in client-libs/2d. An attacker can manipulate memory and potentially execute code.

Upgrade org.graalvm.sdk:graal-sdk to version 17.0.15, 21.0.7, 24.0.1 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Timing Attack in security-libs/javax.net.ssl that exposes information from a TLS handshake via side channel.

Upgrade org.graalvm.sdk:graal-sdk to version 17.0.15, 21.0.7, 24.0.1 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Signed to Unsigned Conversion Error through the use of multiple protocols. An attacker can compromise accessible data and perform unauthorized update, insert, or delete operations by exploiting APIs in the specified component, typically through a web service which supplies data to these APIs.

Note:

This is only exploitable if Java deployments load and run untrusted code from the internet and rely on the Java sandbox for security.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.17, 21.3.13 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Access Control Bypass via the Compiler component. An attacker can manipulate data by exploiting unprotected APIs or services that interact with the APIs.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.16, 21.3.12 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Serialization component. An attacker can cause a partial disruption of service by exploiting network access to send crafted data to the APIs involved.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.16, 21.3.12 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Networking component. An attacker can cause a partial disruption of service by exploiting network protocols to send crafted data or requests.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.16, 21.3.12 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Information Exposure via the Hotspot component. An attacker with network access via multiple protocols can compromise the integrity and confidentiality of data by exploiting accessible APIs, particularly through web services that supply data to these APIs.

Note:

This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.16, 21.3.12 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Access Control via the 2D component. An attacker can achieve unauthorized update, insert, or delete access to some accessible data as well as unauthorized read access to a subset of accessible data by exploiting the APIs through a web service which supplies data to these APIs. This is only exploitable in environments where Java applications, such as sandboxed Java Web Start applications or sandboxed Java applets, load and run untrusted code that relies on the Java sandbox for security.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.15, 21.3.11 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Resource Exhaustion via multiple protocols. An attacker can cause a partial disruption of service by exploiting network access.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.15, 21.3.11 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Access Control in the hotspot/compiler component. An attacker can compromise data integrity.

Upgrade org.graalvm.sdk:graal-sdk to version 21.3.10, 22.0.1 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the hotspot/runtime component.

Upgrade org.graalvm.sdk:graal-sdk to version 21.3.10, 22.0.1 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Access Control Bypass in the JavaFX media component, when running untrusted code.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Information Exposure via the JavaFX component, when running untrusted code.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Input Validation due to a flaw in the JVM class file verifier in the hotspot/runtime component. An attacker can execute unverified bytecode by crafting a malicious input that bypasses the verification process.

Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 23.0.0 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Privilege Management in the hotspot/compiler component.

Note This is only exploitable if the attacker utilizes APIs in the specified component, such as through a web service that provides data to the APIs. Additionally, the vulnerability affects Java deployments that execute untrusted code, relying on the Java sandbox for security.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 22.3.5 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the security-libs/javax.xml.crypto component. An attacker with local access could access private keys.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 23.0.0 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Input Validation due to a range check loop optimization issue in the hotspot/compiler component. An attacker can obtain sensitive information without authorization by exploiting the improper input validation.

Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 23.0.0 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Information Exposure in the core-libs/javax.script component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 22.3.5 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Privilege Management in the security-libs/java.security component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Upgrade org.graalvm.sdk:graal-sdk to version 21.3.9, 22.3.5 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Covert Timing Channel in the security-libs/java.security component. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9, 23.0.0 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Privilege Management via the JavaFX component.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.13, 21.3.9 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Denial of Service (DoS) in security-libs/javax.net.ssl, when running untrusted code.

Upgrade org.graalvm.sdk:graal-sdk to version 21.1.0 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Denial of Service (DoS). Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.

Note:

This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.11, 21.3.7, 22.3.3 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Information Exposure in the hotspot/compiler component.

Note: This vulnerability can be exploited by using APIs in the specified component, e.g. through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.11, 21.3.7, 22.3.3 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Access Control which allows unauthenticated attackers with logon to the infrastructure executes to compromise the product. Exploiting this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data.

Note:

1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code from the internet) and rely on the Java sandbox for security.

2. This vulnerability does not apply to Java deployments, typically in servers that load and run only trusted code (e.g., code installed by an administrator).

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.11, 21.3.7, 22.3.3 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Access Restriction Bypass in the Networking component, which allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Exploiting this vulnerability can result in unauthorized update, insert or delete access to accessible data.

Note:

1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code from the internet) and rely on the Java sandbox for security.

2)This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.11, 21.3.7, 22.3.3 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Access Restriction Bypass in the core-libs/java.io component. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access.

Note: This vulnerability can be exploited by using APIs in the specified component, e.g. through a web service that supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.11, 21.3.7, 22.3.3 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Neutralization of Null Byte or NUL Character resulting in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.10, 21.3.6, 22.3.2 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Input Validation due to a Swing HTML parsing issue, resulting in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.10, 21.3.6, 22.3.2 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Improper Input Validation resulting in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.10, 21.3.6, 22.3.2 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Denial of Service (DoS) certificate validation issue in TLS session negotiation. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS).

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.10, 21.3.6, 22.3.2 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) incorrect handling of NULL characters in ProcessBuilder. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of accessible data.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.10, 21.3.6, 22.3.2 or higher.

org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages.

Affected versions of this package are vulnerable to Information Exposure. Improper connection handling during TLS handshake. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all accessible data as well as unauthorized access to critical data or complete access to all accessible data.

Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Upgrade org.graalvm.sdk:graal-sdk to version 20.3.10, 21.3.6, 22.3.2 or higher.