CVE-2023-22006: 
Java vulnerability analysis and mitigation

CVE-2023-22006 is a vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK discovered by Motoyasu Saburi. The affected versions include Oracle Java SE 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition 20.3.10, 21.3.6, 22.3.2; and Oracle GraalVM for JDK 17.0.7 and 20.0.1. The vulnerability was disclosed in July 2023 as part of Oracle's Critical Patch Update (Oracle CPU).

This is a difficult to exploit vulnerability that involves HTTP client insufficient file name validation. It has been assigned a CVSS v3.1 base score of 3.1 (LOW) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability requires network access via multiple protocols and human interaction from a person other than the attacker (NetApp Advisory).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK accessible data. The vulnerability specifically applies to Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle CPU).

Oracle has released patches for the affected versions as part of its July 2023 Critical Patch Update. Various Linux distributions have also released security updates, including Debian which has fixed the issue in openjdk-17 version 17.0.8+7-1~deb12u1 for the stable distribution (bookworm) and openjdk-11 version 11.0.20+8-1~deb11u1 for the oldstable distribution (bullseye) (Debian Advisory).