CVE-2024-20925: 
Java vulnerability analysis and mitigation

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). The vulnerability affects Oracle Java SE version 8u391 and Oracle GraalVM Enterprise Edition versions 20.3.12 and 21.3.8. This is a difficult to exploit vulnerability that allows unauthenticated attackers with network access via multiple protocols to compromise the affected systems (Oracle CPU Jan 2024).

The vulnerability has been assigned a CVSS 3.1 Base Score of 3.1 (Integrity impacts) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability requires human interaction from a person other than the attacker for successful exploitation. This vulnerability specifically applies to Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets (Oracle CPU Jan 2024).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE and Oracle GraalVM Enterprise Edition accessible data. The vulnerability primarily affects Java deployments that load and run untrusted code from the internet and rely on the Java sandbox for security (Oracle CPU Jan 2024).

Oracle has released security patches to address this vulnerability. The fixes are available for Oracle Java SE version 8u391 and Oracle GraalVM Enterprise Edition versions 20.3.12 and 21.3.8. It is recommended to apply these security patches without delay (Oracle CPU Jan 2024).