CVE-2023-21954 — Sensitive Information Exposure in Oracle Openjdk

CWE-200 — Sensitive Information Exposure8 documents8 sources

Severity

5.9MEDIUMNVD

EPSS

0.0%

top 84.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Openjdk Oracle Corporation Java SE JDK AND JRE Debian Linux +3 more

Timeline

PublishedApr 18

Latest updateMay 16

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5oracle_corporation/java_se_jdk_and_jre7 versions+6

▶NVDoracle/graalvm20.3.9, 21.3.5, 22.3.1+2

▶NVDoracle/openjdk11 — 11.0.18+4

▶NVDoracle/jdk1.8.0, 11.0.18, 17.0.6+2

▶NVDoracle/jre1.8.0, 11.0.18, 17.0.6+2

Also affects: Debian Linux 10.0, 11.0, 12.0

🔴Vulnerability Details

OSV

CVE-2023-21954: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot)↗2023-04-18

▶

GHSA

GHSA-8x3h-4f64-v6v6: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot)↗2023-04-18

▶

CVEList

CVE-2023-21954: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot)↗2023-04-18

▶

📋Vendor Advisories

Ubuntu

OpenJDK vulnerabilities↗2023-05-16

▶

Red Hat

OpenJDK: incorrect enqueue of references in garbage collector (8298191)↗2023-04-18

▶

Oracle

Oracle Oracle Java SE Risk Matrix: Hotspot — CVE-2023-21954↗2023-04-15

▶

Debian

CVE-2023-21954: openjdk-11 - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product o...↗2023

▶