CVE-2023-21968: 
Java vulnerability analysis and mitigation

CVE-2023-21968 is a vulnerability affecting Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability was discovered by Adam Reziouk of Airbus Cyber Vulnerabilities Service and disclosed in April 2023. It affects multiple versions including Oracle Java SE (8u361, 8u361-perf, 11.0.18, 17.0.6, 20) and Oracle GraalVM Enterprise Edition (20.3.9, 21.3.5, 22.3.1). This vulnerability specifically relates to missing checks for slash characters in URI-to-path conversion (Oracle Advisory).

The vulnerability is classified as difficult to exploit and requires network access via multiple protocols. It has been assigned a CVSS 3.1 Base Score of 3.7 (Low) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that while the vulnerability is network-accessible, it has high attack complexity and requires no privileges or user interaction (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability primarily applies to Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (NVD).

Oracle has released patches to address this vulnerability in their April 2023 Critical Patch Update. Users are advised to update to the fixed versions. For Java SE 8 users, the fix is available in version 8u372. For Java SE 11 users, the fix is in version 11.0.19, and for Java SE 17 users, the fix is available in version 17.0.7 (Red Hat Advisory).