Bug 2278636 (CVE-2024-20954) - CVE-2024-20954 graalvm: Unauthorized Read Access
Summary: CVE-2024-20954 graalvm: Unauthorized Read Access
Keywords:
Status: NEW
Alias: CVE-2024-20954
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2277977
TreeView+ depends on / blocked
 
Reported: 2024-05-02 13:53 UTC by Patrick Del Bello
Modified: 2024-06-25 07:07 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in GraalVM and Mandrel (Community Edition). Successful attacks of this vulnerability can result in unauthorized read access.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4080 0 None None None 2024-06-25 06:26:03 UTC
Red Hat Product Errata RHBA-2024:4082 0 None None None 2024-06-25 07:07:53 UTC
Red Hat Product Errata RHSA-2024:4079 0 None None None 2024-06-25 06:23:49 UTC
Red Hat Product Errata RHSA-2024:4081 0 None None None 2024-06-25 07:06:05 UTC

Description Patrick Del Bello 2024-05-02 13:53:21 UTC
Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler).  Supported versions that are affected are Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and  21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

https://www.oracle.com/security-alerts/cpuapr2024.html

Comment 13 errata-xmlrpc 2024-06-25 06:23:47 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.8 on RHEL 8

Via RHSA-2024:4079 https://access.redhat.com/errata/RHSA-2024:4079

Comment 14 errata-xmlrpc 2024-06-25 07:06:03 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2 on RHEL 8

Via RHSA-2024:4081 https://access.redhat.com/errata/RHSA-2024:4081


Note You need to log in before you can comment on or make changes to this bug.