LiveActive security incident?Get immediate response
CVE Record

CVE-2024-23081: ThreeTen Backport v1.6.8 was discovered to contain a NullPointerException via the component org.threeten.bp...

ThreeTen Backport v1.6.8 was discovered to contain a NullPointerException via the component org.threeten.bp.LocalDate::compareTo(ChronoLocalDate). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

CVE-2024-23081 claims ThreeTen Backport v1.6.8 can trigger a NullPointerException in a date comparison component. The record is explicitly disputed by multiple third parties, and no severity score, affected product data, or confirmed exploit activity is provided.

Executive priority

Treat this as a low-urgency verification item, not an emergency. The main action is dependency visibility and monitoring, because the vulnerability’s existence and impact are disputed.

Technical view

The reported issue is a NullPointerException in org.threeten.bp.LocalDate::compareTo(ChronoLocalDate). The CVE record says the vulnerability claim is disputed and may be based on a tool not robust enough for vulnerability identification. No CVSS, CWE, or vendor fix is listed in the provided sources.

Likely exposure

Exposure is limited to environments using ThreeTen Backport v1.6.8 or relevant org.threeten.bp code paths. Business impact is unclear because exploitability, reachability, and security impact are not established in the sources.

Exploitation context

There is no CISA KEV entry and no cited source confirms active exploitation. At most, the record indicates a disputed report involving a possible crash condition, not a confirmed exploitable vulnerability.

Researcher notes

Do not assume this is exploitable based on the CVE title alone. Validate reachability and security impact independently. The record’s dispute note materially reduces confidence in using this CVE for prioritization without additional evidence.

Mitigation direction

  • Inventory applications for ThreeTen Backport v1.6.8 usage.
  • Check official ThreeTen Backport guidance, issues, and release notes.
  • Assess whether affected date comparison code is reachable from untrusted input.
  • Prioritize normal dependency hygiene unless new vendor evidence appears.

Validation and detection

  • Review SBOMs and build manifests for ThreeTen Backport v1.6.8.
  • Confirm whether org.threeten.bp.LocalDate comparisons are used in exposed workflows.
  • Monitor the CVE record for changes to dispute status or severity.
  • Document findings as disputed if no reachable security impact is found.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2024-23081 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
2ADP providers
3Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.