Vulnerability DatabaseCVE-2023-22049

CVE-2023-22049:
Java vulnerability analysis and mitigation

Overview

A vulnerability was discovered in Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK (component: Libraries). The affected versions include Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. The vulnerability was disclosed in July 2023 (Oracle CPU).

Technical details

The vulnerability is characterized by improper handling of slash characters in URI-to-path conversion (reference ID: 8305312). It has been assigned a CVSS 3.1 Base Score of 3.7 (LOW) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that while the vulnerability is network-accessible, it requires high attack complexity, needs no privileges, and requires no user interaction (Oracle CPU).

Impact

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, and Oracle GraalVM for JDK accessible data. The vulnerability can be exploited through APIs in the specified Component, such as through a web service which supplies data to the APIs (NVD).

Mitigation and workarounds

Oracle has released patches to address this vulnerability in their July 2023 Critical Patch Update. Users are advised to update to the fixed versions. For Debian systems, fixes have been released in version 11.0.20+8-1~deb10u1 for Debian 10 and version 17.0.8+7-1~deb12u1 for the stable distribution (Debian Advisory, Debian LTS).

Additional resources

Source: This report was generated using AI

3.7

Score

Published July 18, 2023

Severity LOW

CNA Score 3.7

Affected Technologies

Java
Amazon Corretto JDK

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 26.7

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

java-1.7.1-ibm-src
java-17-openjdk-devel-slowdebug

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Jul 23, 2023
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Jul 23, 2023
Alpine Security Tracker
- Alpine 3.15 Severity LOWHas FixAdded at: Nov 08, 2023
- Alpine 3.16, 3.17, 3.18 Severity LOWHas FixAdded at: Oct 22, 2023
- Alpine 3.19 Severity LOWHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity LOWHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity LOWHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity LOWHas FixAdded at: Jun 01, 2025
- Alpine edge Severity LOWHas FixAdded at: Sep 24, 2023
Chainguard
- Chainguard Has FixAdded at: Nov 11, 2024
Debian Security Tracker
- Debian 10, 11, 12 Severity LOWHas FixAdded at: Jul 20, 2023
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Jul 10, 2024
Red Hat Errata
- Red Hat 6 Severity MEDIUMNo FixAdded at: Aug 08, 2023
- Red Hat 7 Severity MEDIUMHas FixAdded at: Jul 20, 2023
- Red Hat 8 Severity MEDIUMHas FixAdded at: Jul 20, 2023
- Red Hat 9 Severity MEDIUMHas FixAdded at: Jul 20, 2023
Rocky Linux Product Errata
- Rocky 8 Severity MEDIUMHas FixAdded at: Aug 10, 2023
- Rocky 9 Severity MEDIUMHas FixAdded at: Sep 24, 2023
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04, 22.04, 23.04 Severity MEDIUMHas FixAdded at: Jul 31, 2023
- Ubuntu 23.10 Severity MEDIUMHas FixAdded at: Oct 31, 2023
Wolfi
- Wolfi Has FixAdded at: Nov 11, 2024
NVD
- Linux Severity LOWHas FixAdded at: Jul 30, 2023
- Windows Severity LOWHas FixAdded at: Jul 23, 2023