Oracle Java SE and GraalVM JAXP Vulnerability Allowing Unauthorized Data Access

A vulnerability exists in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically in the JAXP component. Affected versions include Oracle Java SE 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, and 25; Oracle GraalVM for JDK 17.0.16 and 21.0.8; and Oracle GraalVM Enterprise Edition 21.3.15. This vulnerability allows an unauthenticated attacker with network access to compromise the affected Java environments. Exploitation can lead to unauthorized access to critical data or complete access to all data accessible within the Java environment. The vulnerability can be exploited through APIs in the JAXP component, such as via a web service that provides data to these APIs. It also affects Java deployments that run untrusted code from the internet in a sandboxed environment, relying on the Java sandbox for security.

Impact

Successful exploitation allows unauthorized access to critical data or complete access to all data within the affected Java environment.