The version of java-11-amazon-corretto installed on the remote host is prior to 11.0.22+7-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2414 advisory.

    A vulnerability that allows an attacker to execute arbitrary java code from the javascript engine even     though the option --no-java was set. (CVE-2024-20918)

    With carefully crafted custom bytecodes, arbitrary unverified bytecodes could be executed.
    (CVE-2024-20919)

    Loop optimizations are not correct when induction variable overflows (CVE-2024-20921)

    Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JavaFX).  Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM     Enterprise Edition: 20.3.12 and  21.3.8. Difficult to exploit vulnerability allows unauthenticated     attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes     to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.  Successful attacks require human     interaction from a person other than the attacker. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts).  CVSS Vector:
    (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). (CVE-2024-20922)

    Missing validation may cause unexpected issues. (CVE-2024-20923)

    There are several integer overflows in the media handling (CVE-2024-20925)

    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Scripting).  Supported versions that are affected are Oracle Java SE: 8u391,     8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8     and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via     multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise     Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or     complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g.,     through a web service which supplies data to the APIs. This vulnerability also applies to Java     deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets,     that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox     for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts).  CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). (CVE-2024-20926)

    Crypto key may be leaked via debug logging in some cases (CVE-2024-20945)

    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u391,     8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise     Edition: 20.3.12, 21.3.8 and  22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle     GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized     creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK,     Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized access to critical data or     complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts).  CVSS Vector:
    (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). (CVE-2024-20952)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : java-11-amazon-corretto (ALAS-2024-2414)

low Nessus Plugin ID 189190

Version 1.4

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.4 Nov 5, 2025, 10:10 AM CVSS metrics ("CVSSv3 score" set to 2.5) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N") CVSSv3 score source (changed from "CVE-2024-20945" to "CVE-2024-20922") CVSSv3 severity (based on CVE-2024-20922, severity decreased from "Medium" to "Low") Plugin Feed: 202511051010
Version 1.3 Nov 4, 2025, 12:12 PM CVSS metrics ("CVSSv3 score" set to 4.7) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N") CVSSv3 score source (set to "CVE-2024-20945") CVSSv3 severity (based on CVE-2024-20945, severity decreased from "High" to "Medium") Plugin Feed: 202511041212
Version 1.2 Dec 12, 2024, 9:55 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412120955
Version 1.1 Jan 19, 2024, 4:39 AM Plugin metadata Plugin Feed: 202401190439
Version 1.0 Jan 19, 2024, 12:43 AM New Plugin Feed: 202401190043