gsd-2013-2423
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2013-2423", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.", "id": "GSD-2013-2423", "references": [ "https://www.suse.com/security/cve/CVE-2013-2423.html", "https://access.redhat.com/errata/RHSA-2013:0822", "https://access.redhat.com/errata/RHSA-2013:0757", "https://access.redhat.com/errata/RHSA-2013:0752", "https://access.redhat.com/errata/RHSA-2013:0751", "https://alas.aws.amazon.com/cve/html/CVE-2013-2423.html", "https://linux.oracle.com/cve/CVE-2013-2423.html" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2013-2423" ], "details": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.", "id": "GSD-2013-2423", "modified": "2023-12-13T01:22:17.420914Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2013-2423", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "GLSA-201406-32", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml" }, { "name": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0", "refsource": "MISC", "url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0" }, { "name": "TA13-107A", "refsource": "CERT", "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A" }, { "name": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130", "refsource": "CONFIRM", "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130" }, { "name": "RHSA-2013:0757", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html" }, { "name": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f", "refsource": "MISC", "url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f" }, { "name": "24976", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/24976" }, { "name": "MDVSA-2013:161", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161" }, { "name": "openSUSE-SU-2013:0964", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html" }, { "name": "RHSA-2013:0752", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html" }, { "name": "USN-1806-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-1806-1" }, { "name": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html", "refsource": "MISC", "url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html" }, { "name": "https://bugzilla.redhat.com/show_bug.cgi?id=952398", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398" }, { "name": "oval:org.mitre.oval:def:16700", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700" }, { "name": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html" }, { "name": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/", "refsource": "CONFIRM", "url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/" } ] } }, "nvd.nist.gov": { "cve": { "cisaActionDue": "2022-06-15", "cisaExploitAdd": "2022-05-25", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Oracle JRE Unspecified Vulnerability", "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*", "matchCriteriaId": "DFAA351A-93CD-46A8-A480-CE2783CCD620", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "matchCriteriaId": "F4B153FD-E20B-4909-8B10-884E48F5B590", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*", "matchCriteriaId": "F21933FB-A27C-4AF3-9811-2DE28484A5A6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*", "matchCriteriaId": "B2B20041-EB5D-4FA4-AC7D-C35E7878BCFD", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*", "matchCriteriaId": "F3C3C9C7-73AE-4B1D-AA85-C7F5330A4DE6", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*", "matchCriteriaId": "1D8BB8D7-D5EC-42D6-BEAA-CB03D1D6513E", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "matchCriteriaId": "CB106FA9-26CE-48C5-AEA5-FD1A5454AEE2", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "matchCriteriaId": "5831D70B-3854-4CB8-B88D-40F1743DAEE0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "matchCriteriaId": "EEB101C9-CA38-4421-BC0C-C1AD47AA2CC9", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "matchCriteriaId": "BA302DF3-ABBB-4262-B206-4C0F7B5B1E91", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "matchCriteriaId": "F9A8EBCB-5E6A-42F0-8D07-F3A3D1C850F0", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "matchCriteriaId": "0CD8A54E-185B-4D34-82EF-C0C05739EC12", "vulnerable": true }, { "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "matchCriteriaId": "4FFC7F0D-1F32-4235-8359-277CE41382DF", "vulnerable": true } ], "negate": false, "operator": "OR" } ] }, { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE", "vulnerable": true }, { "criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "descriptions": [ { "lang": "en", "value": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager." }, { "lang": "es", "value": "Una vulnerabilidad no especificada en el componente Java Runtime Environment (JRE) en Java SE versi\u00f3n 7 Update 17 y anteriores, y OpenJDK versi\u00f3n 7 de Oracle, permite a los atacantes remotos afectar la integridad por medio de vectores desconocidos relacionados a HotSpot. NOTA: la informaci\u00f3n anterior es de la CPU de abril de 2013. Oracle no ha comentado sobre las afirmaciones del investigador original de que esta vulnerabilidad permite a los atacantes remotos omitir las comprobaciones de permisos mediante el m\u00e9todo MethodHandles y modificar campos finales p\u00fablicos arbitrarios mediante la reflexi\u00f3n y la confusi\u00f3n de tipos, como es demostrado usando los campos enteros y dobles para deshabilitar el administrador de seguridad." } ], "id": "CVE-2013-2423", "lastModified": "2024-04-26T16:07:25.617", "metrics": { "cvssMetricV2": [ { "acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false } ] }, "published": "2013-04-17T18:55:07.087", "references": [ { "source": "secalert_us@oracle.com", "tags": [ "Broken Link" ], "url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/" }, { "source": "secalert_us@oracle.com", "tags": [ "Not Applicable" ], "url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html" }, { "source": "secalert_us@oracle.com", "tags": [ "Patch" ], "url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f" }, { "source": "secalert_us@oracle.com", "tags": [ "Third Party Advisory" ], "url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html" }, { "source": "secalert_us@oracle.com", "tags": [ "Third Party Advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html" }, { "source": "secalert_us@oracle.com", "tags": [ "Third Party Advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html" }, { "source": "secalert_us@oracle.com", "tags": [ "Third Party Advisory" ], "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml" }, { "source": "secalert_us@oracle.com", "tags": [ "Broken Link" ], "url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0" }, { "source": "secalert_us@oracle.com", "tags": [ "Third Party Advisory", "VDB Entry" ], "url": "http://www.exploit-db.com/exploits/24976" }, { "source": "secalert_us@oracle.com", "tags": [ "Third Party Advisory" ], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161" }, { "source": "secalert_us@oracle.com", "tags": [ "Vendor Advisory" ], "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html" }, { "source": "secalert_us@oracle.com", "tags": [ "Third Party Advisory" ], "url": "http://www.ubuntu.com/usn/USN-1806-1" }, { "source": "secalert_us@oracle.com", "tags": [ "Third Party Advisory", "US Government Resource" ], "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A" }, { "source": "secalert_us@oracle.com", "tags": [ "Issue Tracking" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398" }, { "source": "secalert_us@oracle.com", "tags": [ "Broken Link" ], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700" }, { "source": "secalert_us@oracle.com", "tags": [ "Third Party Advisory" ], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130" } ], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [ { "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ], "source": "nvd@nist.gov", "type": "Primary" } ] } } } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.