Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-5353JDK vulnerability

13 documents9 sources
Severity
10.0CRITICALNVD
EPSS
89.5%
top 0.44%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
SUN JDKSUN JRESUN SDK
Timeline
PublishedDec 5
Latest updateMay 14

Description

The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages3 packages

NVDsun/jdk5.0+3
NVDsun/jre1.4.2_18+21
NVDsun/sdk1.4.2_18+17

Patches

Patch: sunsolve.sun.comPatch: sunsolve.sun.com

🔴Vulnerability Details

3
GHSA
GHSA-3fx3-qcjv-qr6h: The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 52022-05-14
CVEList
CVE-2008-5353: The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 52008-12-05
VulnCheck
Java Runtime Environment (JRE) ZoneInfo Objects Vulnerability2008

💥Exploits & PoCs

4
Exploit-DB
Signed Applet Social Engineering - Code Execution (Metasploit)2011-01-08
Exploit-DB
Sun Java - Calendar Deserialization (Metasploit)2010-09-20
Exploit-DB
Apple Mac OSX - Java applet Remote Deserialization Remote (2)2009-05-20
Exploit-DB
Sun Java Runtime and Development Kit 6 Update 10 - Calendar Deserialization (Metasploit)2008-12-03

📋Vendor Advisories

2
Ubuntu
openjdk-6 vulnerabilities2009-01-27
Red Hat
OpenJDK calendar object deserialization allows privilege escalation (6734167)2008-12-04

💬Community

1
Bugzilla
CVE-2008-5353 OpenJDK calendar object deserialization allows privilege escalation (6734167)2008-11-19
CVE-2008-5353 — SUN JDK vulnerability | cvebase