Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 9 |
CVE-ID | CVE-2022-21619 CVE-2022-21624 CVE-2022-39399 CVE-2022-21618 CVE-2022-21626 CVE-2022-21628 CVE-2022-21597 CVE-2022-21634 CVE-2022-32215 |
CWE-ID | CWE-20 CWE-444 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Oracle GraalVM Enterprise Edition Server applications / Virtualization software |
Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
EUVDB-ID: #VU68442
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21619
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle GraalVM Enterprise Edition: 20.3.7 - 22.2.0
External linkshttp://www.oracle.com/security-alerts/cpuoct2022.html?505601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU68441
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21624
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the JNDI component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle GraalVM Enterprise Edition: 20.3.7 - 22.2.0
External linkshttp://www.oracle.com/security-alerts/cpuoct2022.html?505601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU68440
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-39399
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle GraalVM Enterprise Edition: 20.3.7 - 22.2.0
External linkshttp://www.oracle.com/security-alerts/cpuoct2022.html?505601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU68439
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21618
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the JGSS component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle GraalVM Enterprise Edition: 21.3.3 - 22.2.0
External linkshttp://www.oracle.com/security-alerts/cpuoct2022.html?505601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU68438
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21626
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Security component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle GraalVM Enterprise Edition: 20.3.7 - 22.2.0
External linkshttp://www.oracle.com/security-alerts/cpuoct2022.html?505601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU68437
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21628
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Lightweight HTTP Server component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle GraalVM Enterprise Edition: 20.3.7 - 22.2.0
External linkshttp://www.oracle.com/security-alerts/cpuoct2022.html?505601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU68436
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21597
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the JavaScript component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle GraalVM Enterprise Edition: 20.3.7 - 22.2.0
External linkshttp://www.oracle.com/security-alerts/cpuoct2022.html?505601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU68435
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21634
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the LLVM Interpreter component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle GraalVM Enterprise Edition: 20.3.7 - 22.2.0
External linkshttp://www.oracle.com/security-alerts/cpuoct2022.html?505601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU65282
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-32215
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle GraalVM Enterprise Edition: 20.3.7 - 22.2.0
External linkshttp://www.oracle.com/security-alerts/cpuoct2022.html?505601
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.