CVE-2004-2540 — Regex Denial of Service in JDK

CWE-1333 — Regex Denial of Service9 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

0.9%

top 23.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SUN JDK SUN JRE

Timeline

PublishedDec 31

Latest updateMay 2

Description

readObject in (1) Java Runtime Environment (JRE) and (2) Software Development Kit (SDK) 1.4.0 through 1.4.2_05 allows remote attackers to cause a denial of service (JVM unresponsive) via crafted serialized data.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDsun/jdk1.5.0+85

▶NVDsun/jre10 versions+9

🔴Vulnerability Details

GHSA

Spring Framework Inefficient Regular Expression Complexity↗2022-05-02

▶

OSV

Spring Framework Inefficient Regular Expression Complexity↗2022-05-02

▶

GHSA

GHSA-h2mv-7266-r4gv: readObject in (1) Java Runtime Environment (JRE) and (2) Software Development Kit (SDK) 1↗2022-04-29

▶

CVEList

CVE-2009-1190: Algorithmic complexity vulnerability in the java↗2009-04-27

▶

CVEList

CVE-2004-2540: readObject in (1) Java Runtime Environment (JRE) and (2) Software Development Kit (SDK) 1↗2005-11-16

▶

📋Vendor Advisories

Red Hat

Spring Framework Remote Denial of Service vulnerability↗2009-04-22

▶

💬Community

Bugzilla

CVE-2009-1190 Spring Framework Remote Denial of Service vulnerability↗2009-04-22

▶