FKIE_CVE-2023-22041

Vulnerability from fkie_nvd - Published: 2023-07-18 21:15 - Updated: 2024-11-21 07:44
Severity ?
5.1 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.1 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
References
secalert_us@oracle.comhttps://lists.debian.org/debian-lts-announce/2023/09/msg00018.htmlMailing List, Third Party Advisory
secalert_us@oracle.comhttps://security.netapp.com/advisory/ntap-20230725-0006/Third Party Advisory
secalert_us@oracle.comhttps://www.debian.org/security/2023/dsa-5458Third Party Advisory
secalert_us@oracle.comhttps://www.debian.org/security/2023/dsa-5478Third Party Advisory
secalert_us@oracle.comhttps://www.oracle.com/security-alerts/cpujul2023.htmlPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2023/09/msg00018.htmlMailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20230725-0006/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2023/dsa-5458Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2023/dsa-5478Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujul2023.htmlPatch, Vendor Advisory
Impacted products
Vendor Product Version
oracle graalvm 20.3.10
oracle graalvm 21.3.6
oracle graalvm 22.3.2
oracle graalvm_for_jdk 17.0.7
oracle graalvm_for_jdk 20.0.1
oracle jdk 1.8.0
oracle jdk 11.0.19
oracle jdk 17.0.7
oracle jdk 20.0.1
oracle jre 1.8.0
oracle jre 11.0.19
oracle jre 17.0.7
oracle jre 20.0.1
debian debian_linux 10.0
debian debian_linux 11.0
debian debian_linux 12.0
netapp 7-mode_transition_tool -
netapp active_iq_unified_manager -
netapp active_iq_unified_manager -
netapp cloud_insights_acquisition_unit -
netapp cloud_insights_storage_workload_security_agent -
netapp oncommand_insight -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:graalvm:20.3.10:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "2AEB0668-3769-415A-85D2-8042C83AF530",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:graalvm:21.3.6:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "1612C1DD-47B7-4A52-B709-0E270CE9A814",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:graalvm:22.3.2:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "0D052622-1214-4B93-8638-8F0FBADD4F43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "908FCFE7-F95A-4E5C-8644-78E737828E27",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:20.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6FC3A3A8-4244-4933-AC2C-03540C9F80BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.8.0:update371:*:*:enterprise_performance_pack:*:*:*",
              "matchCriteriaId": "C69380A5-FD13-4C73-9940-99B4776EA4F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:11.0.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "2182C64A-CA08-49EE-9987-E34F828F9D14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:17.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C064D35-8FFB-4033-AE32-A108189734AA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:20.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "208BCD85-10BA-4ACB-9B9C-E4F5530EFAE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.8.0:update371:*:*:enterprise_performance_pack:*:*:*",
              "matchCriteriaId": "47818A5A-7C5C-4B18-8529-7F9DB00A7626",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:11.0.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FDA3A94-3460-4EE1-B35F-3D4151157D95",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:17.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE4416A7-658A-423F-9A66-A8F563273AE5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:20.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5370A60E-A32D-4F9A-B939-DFA07FF4F860",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7EF6650C-558D-45C8-AE7D-136EE70CB6D7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
              "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CCAA4004-9319-478C-9D55-0E8307F872F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B199052-5732-4726-B06B-A12C70DFB891",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot).  Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and  20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)."
    }
  ],
  "id": "CVE-2023-22041",
  "lastModified": "2024-11-21T07:44:09.610",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.4,
        "impactScore": 3.6,
        "source": "secalert_us@oracle.com",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.4,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-07-18T21:15:13.963",
  "references": [
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20230725-0006/"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5458"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5478"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2023.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00018.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20230725-0006/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5458"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5478"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpujul2023.html"
    }
  ],
  "sourceIdentifier": "secalert_us@oracle.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.