CVE-2024-23077 – CVE-2024-23077 is a disputed vulnerability in J... (How to Fix)

Q: What is the severity of CVE-2024-23077?

CVE-2024-23077 has a CVSS score of 7.5 (HIGH). CVE-2024-23077 is a disputed vulnerability in JFreeChart v1.5.4 where an ArrayIndexOutOfBounds exception could potentially be triggered in the CompassPlot component. If exploitable, this could lead to application crashes or denial of service. Organizations using JFreeChart v1.5.4 in their applications are potentially affected.

📋 TL;DR

CVE-2024-23077 is a disputed vulnerability in JFreeChart v1.5.4 where an ArrayIndexOutOfBounds exception could potentially be triggered in the CompassPlot component. If exploitable, this could lead to application crashes or denial of service. Organizations using JFreeChart v1.5.4 in their applications are potentially affected.

💻 Affected Systems

Products:

JFreeChart

Versions: v1.5.4

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is disputed by multiple third parties who question the evidence. May be a false positive from automated scanning tools.

📦 What is this software?

Jfreechart by Jfree

View all CVEs affecting Jfreechart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service, potentially disrupting dependent systems

🟠

Likely Case

Application instability or crashes when processing specific chart data

🟢

If Mitigated

Minimal impact with proper input validation and error handling

🌐 Internet-Facing: LOW - Disputed vulnerability with unclear exploitability

🏢 Internal Only: LOW - Disputed vulnerability with unclear exploitability

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

No confirmed exploitation in the wild. The vulnerability is disputed and may not be practically exploitable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available due to disputed nature. Consider updating to latest JFreeChart version if concerned.

🔧 Temporary Workarounds

Input validation enhancement

all

Implement additional input validation for chart data to prevent triggering the ArrayIndexOutOfBounds condition

Error handling improvement

all

Add robust exception handling around CompassPlot operations to gracefully handle potential errors

🧯 If You Can't Patch

Implement network segmentation to isolate systems using JFreeChart
Monitor application logs for ArrayIndexOutOfBounds exceptions related to CompassPlot

🔍 How to Verify

Check if Vulnerable:

Check if your application uses JFreeChart v1.5.4 by examining dependencies or checking the JFreeChart version in use

Check Version:

Check your project's dependency management file (pom.xml, build.gradle, etc.) or examine the JFreeChart JAR file version

Verify Fix Applied:

Verify you are not using JFreeChart v1.5.4 or have implemented workarounds

📡 Detection & Monitoring

Log Indicators:

ArrayIndexOutOfBoundsException in CompassPlot.java
Application crashes when generating compass charts

Network Indicators:

Unusual application restarts or service interruptions

SIEM Query:

Search for 'ArrayIndexOutOfBoundsException' AND 'CompassPlot' in application logs

📊 Metadata

CVE ID: CVE-2024-23077

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-120

Published: April 10, 2024

Last Updated: May 27, 2025

🔗 References

http://jfreechart.com Broken Link
https://gist.github.com/LLM4IG/f55de46e65fb5a19b7815adb36fd858b Third Party Advisory
https://github.com/jfree/jfreechart Product
http://jfreechart.com Broken Link
https://gist.github.com/LLM4IG/f55de46e65fb5a19b7815adb36fd858b Third Party Advisory
https://github.com/jfree/jfreechart Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23077, you might also want to check these: