Vulnerability DatabaseCVE-2024-20923

CVE-2024-20923:
Java vulnerability analysis and mitigation

Overview

A vulnerability has been identified in Oracle Java SE and Oracle GraalVM Enterprise Edition, specifically affecting the JavaFX component. The affected versions include Oracle Java SE 8u391 and Oracle GraalVM Enterprise Edition versions 20.3.12 and 21.3.8. This vulnerability was disclosed in January 2024 and is tracked as CVE-2024-20923 (Oracle CPU).

Technical details

The vulnerability is classified as difficult to exploit and requires network access via multiple protocols. It has been assigned a CVSS 3.1 Base Score of 3.1, primarily impacting confidentiality. The CVSS vector is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N), indicating network vector access, high attack complexity, no privileges required, and user interaction required (NVD).

Impact

Successful exploitation of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability specifically applies to Java deployments that typically run in clients with sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet (Oracle CPU).

Mitigation and workarounds

Oracle has released patches to address this vulnerability as part of its January 2024 Critical Patch Update. The vulnerability does not affect Java deployments that typically run in servers and only load trusted code installed by administrators. Organizations should apply the security updates provided in the January 2024 Critical Patch Update (Oracle CPU).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

3.1

Score

Published February 17, 2024

Severity LOW

CNA Score 3.1

Affected Technologies

Java
Amazon Corretto JDK

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 57.1

Exploitation Probability (EPSS) 0.4

Affected packages and libraries

openjdk-11-openj9
java-11-amazon-corretto

Sources

Chainguard
- Chainguard Has FixAdded at: Feb 02, 2025
Minimus
- MinimOS Severity LOWHas FixAdded at: Oct 09, 2025
NVD
- Linux Severity LOWHas FixAdded at: Dec 10, 2024
- Windows Severity LOWHas FixAdded at: Jan 23, 2024

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-68931	HIGH	8.7	Java	net.gleske:jervis	No	Yes	Jan 13, 2026
CVE-2025-68703	HIGH	8.7	Java	net.gleske:jervis	No	Yes	Jan 13, 2026
CVE-2025-68704	HIGH	8.2	Java	net.gleske:jervis	No	Yes	Jan 13, 2026
CVE-2025-66169	MEDIUM	6.9	Java	org.apache.camel:camel-neo4j	No	Yes	Jan 14, 2026
CVE-2025-68925	MEDIUM	6.9	Java	net.gleske:jervis	No	Yes	Jan 13, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2024-20923: Java vulnerability analysis and mitigation