CVE-2024-20922: 
Java vulnerability analysis and mitigation

CVE-2024-20922 is a vulnerability in Oracle Java SE and Oracle GraalVM Enterprise Edition, specifically affecting the JavaFX component. The affected versions include Oracle Java SE 8u391 and Oracle GraalVM Enterprise Edition versions 20.3.12 and 21.3.8. This vulnerability was disclosed in January 2024 as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability is classified as difficult to exploit and requires an unauthenticated attacker with logon access to the infrastructure where the affected software executes. It has been assigned a CVSS 3.1 Base Score of 2.5 (Low severity) with the following vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability specifically applies to Java deployments that typically run sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of the accessible data in Oracle Java SE and Oracle GraalVM Enterprise Edition. The vulnerability only affects deployments that rely on the Java sandbox for security and load untrusted code (Oracle CPU).

Oracle has released patches to address this vulnerability in their January 2024 Critical Patch Update. The fix is available for Oracle Java SE version 8u391 and Oracle GraalVM Enterprise Edition versions 20.3.12 and 21.3.8. Organizations are strongly recommended to apply these security patches as soon as possible (Oracle CPU, NetApp Advisory).