CVE-2023-21939: 
Java vulnerability analysis and mitigation

CVE-2023-21939 is a vulnerability discovered in Oracle Java SE and Oracle GraalVM Enterprise Edition, specifically affecting the Swing component. The affected versions include Oracle Java SE versions 8u361, 8u361-perf, 11.0.18, 17.0.6, 20, and Oracle GraalVM Enterprise Edition versions 20.3.9, 21.3.5, and 22.3.1. This vulnerability was disclosed in April 2023 as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability is characterized as easily exploitable and allows unauthenticated attackers with network access via HTTP to compromise Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.3 (Medium severity) with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited over a network without requiring user credentials or interaction (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability specifically applies to Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle CPU).

Oracle has released patches to address this vulnerability in their April 2023 Critical Patch Update. Users are advised to update to the fixed versions. For Java SE, this includes updating to versions newer than 8u361, 11.0.18, 17.0.6, and 20. For GraalVM Enterprise Edition, updates are available for versions after 20.3.9, 21.3.5, and 22.3.1 (Oracle CPU, NetApp Advisory).