Oracle Java SE and GraalVM JAXP Vulnerability Allowing Unauthorized Data Access

A vulnerability exists in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically in the JAXP component. Affected versions include Oracle Java SE 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26; Oracle GraalVM for JDK 17.0.18 and 21.0.10; and Oracle GraalVM Enterprise Edition 21.3.17. This vulnerability allows an unauthenticated attacker with network access to compromise the affected Java environments. Exploitation can lead to unauthorized access to critical data or complete access to all data within the affected Java environment. The vulnerability can be exploited through APIs in the JAXP component, such as via a web service that provides data to these APIs. It also affects Java deployments that run untrusted code from the internet in sandboxed Java Web Start applications or applets, relying on the Java sandbox for security.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive data or complete access to all data within the affected Oracle Java environment.