CVE-2023-21939

MEDIUM

Oracle Java SE <20 - Unauthenticated RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-21939. PoCs published by Y4Sec-Team, ghiddra.

AI-analyzed exploit summary This repository contains a working PoC for CVE-2023-21939, a vulnerability in JDK versions below 8u371 that allows RCE via malicious SVG files. The exploit leverages Apache XML Graphics and Mozilla Rhino to execute arbitrary commands.

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Exploits (2)

nomisec WORKING POC 94 stars
by Y4Sec-Team · poc
https://github.com/Y4Sec-Team/CVE-2023-21939

This repository contains a working PoC for CVE-2023-21939, a vulnerability in JDK versions below 8u371 that allows RCE via malicious SVG files. The exploit leverages Apache XML Graphics and Mozilla Rhino to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: JDK < 8u371 with Apache XML Graphics and Mozilla Rhino
No auth needed
Prerequisites: JDK version lower than 8u371 · Apache XML Graphics library · Mozilla Rhino library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by ghiddra · poc
https://gitlab.com/ghiddra/cve-2023-21939-oracle

This repository contains a functional proof-of-concept exploit for CVE-2023-21939, demonstrating remote code execution in Oracle Java SE and GraalVM via malicious SVG files and Java deserialization. The exploit leverages Apache Batik Swing library vulnerabilities to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Oracle Java SE (8u361, 8u361-perf, 11.0.18, 17.0.6, 20), Oracle GraalVM Enterprise Edition (20.3.9, 21.3.5, 22.3.1)
No auth needed
Prerequisites: Oracle Java SE or GraalVM with vulnerable versions · Apache Batik Swing library (version 1.15) · Network access to serve malicious files
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (7)

Core 7

Scores

CVSS v3 5.3
EPSS 0.0247
EPSS Percentile 82.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

Status published
Products (20)
debian/debian_linux 10.0
debian/debian_linux 11.0
debian/debian_linux 12.0
netapp/7-mode_transition_tool
netapp/brocade_san_navigator
netapp/cloud_insights_acquisition_unit
netapp/cloud_insights_storage_workload_security_agent
netapp/oncommand_insight
oracle/graalvm 20.3.9
oracle/graalvm 21.3.5
... and 10 more
Published Apr 18, 2023
Tracked Since Feb 18, 2026