CVE-2007-3716 — Improper Input Validation in Java System Access Manager

CWE-20 — Improper Input Validation9 documents3 sources

Severity

9.3CRITICALNVD

NVD7.5

EPSS

4.8%

top 10.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SUN JDK SUN JRE SUN Java System Access Manager +3 more

Timeline

PublishedJul 11

Latest updateMay 1

Description

The Java XML Digital Signature implementation in Sun JDK and JRE 6 before Update 2 does not properly process XSLT stylesheets in XSLT transforms in XML signatures, which allows context-dependent attackers to execute arbitrary code via a crafted stylesheet, a related issue to CVE-2007-3715.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages6 packages

▶NVDsun/java_system_web_server7.0

▶NVDsun/java_system_access_manager6.3, 7.0, 7.1+2

▶NVDsun/java_system_identity_server6.1, 6.2+1

▶NVDsun/java_system_application_server8.2, 9.0+1

▶NVDsun/jdk6

Patches

Patch: sunsolve.sun.com ↗Patch: sunsolve.sun.com ↗

🔴Vulnerability Details

GHSA

GHSA-hqwp-wj7r-gf8j: Sun Java System Access Manager 6↗2022-05-01

▶

GHSA

GHSA-m7vm-xh92-2mwf: Sun Java System Application Server and Web Server 7↗2022-05-01

▶

GHSA

GHSA-5fxq-f64v-57fq: The Java XML Digital Signature implementation in Sun JDK and JRE 6 before Update 2 does not properly process XSLT stylesheets in XSLT transforms in XM↗2022-05-01

▶

CVEList

CVE-2008-2945: Sun Java System Access Manager 6↗2008-06-30

▶

CVEList

CVE-2007-3715: Sun Java System Application Server and Web Server 7↗2007-07-11

▶