CVE-2009-1106 — Improper Input Validation in JDK

CWE-20 — Improper Input Validation6 documents5 sources

Severity

6.4MEDIUMNVD

EPSS

1.4%

top 19.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SUN JDK SUN JRE

Timeline

PublishedMar 25

Latest updateMay 2

Description

The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12, 11, and 10 does not properly parse crossdomain.xml files, which allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unknown vectors, aka CR 6798948.

CVSS vector

AV:N/AC:L/C:N/I:P/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages2 packages

▶NVDsun/jdk1.6.0

▶NVDsun/jre1.6.0

Patches

Patch: sunsolve.sun.com ↗Patch: sunsolve.sun.com ↗Patch: sunsolve.sun.com ↗

🔴Vulnerability Details

GHSA

GHSA-wfxj-4rq5-wv9c: The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12, 11, and 10 does not properly parse crossdomain↗2022-05-02

▶

CVEList

CVE-2009-1106: The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12, 11, and 10 does not properly parse crossdomain↗2009-03-25

▶

📋Vendor Advisories

Red Hat

OpenJDK: Improper parsing of crossdomain.xml files (intended access restriction bypass) (6798948)↗2009-03-23

▶

💬Community

Bugzilla

CVE-2009-1192 kernel: agp: zero pages before sending to userspace↗2009-04-22

▶

Bugzilla

CVE-2009-1106 OpenJDK: Improper parsing of crossdomain.xml files (intended access restriction bypass) (6798948)↗2009-03-26

▶