CVE-2009-2675 — Integer Overflow or Wraparound in JDK

CWE-264 CWE-190 — Integer Overflow or Wraparound9 documents6 sources

Severity

10.0CRITICALNVD

CNA5.0

EPSS

6.8%

top 8.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SUN JDK SUN JRE Oracle BEA Product Suite

Timeline

PublishedAug 5

Latest updateMay 2

Description

Integer overflow in the unpack200 utility in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows context-dependent attackers to gain privileges via unspecified length fields in the header of a Pack200-compressed JAR file, which leads to a heap-based buffer overflow during decompression.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages3 packages

▶NVDsun/jdk6+2

▶NVDsun/jre6+2

▶NVDoracle/bea_product_suiter27.6.4

Patches

Patch: sunsolve.sun.com ↗Patch: sunsolve.sun.com ↗Patch: sunsolve.sun.com ↗

🔴Vulnerability Details

GHSA

GHSA-9r76-mhm8-f3q4: Unspecified vulnerability in the JRockit component in BEA Product Suite R27↗2022-05-02

▶

GHSA

GHSA-x7pq-j293-x4p5: Integer overflow in the unpack200 utility in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5↗2022-05-02

▶

CVEList

CVE-2009-3403: Unspecified vulnerability in the JRockit component in BEA Product Suite R27↗2009-10-22

▶

CVEList

CVE-2009-2675: Integer overflow in the unpack200 utility in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5↗2009-08-05

▶

📋Vendor Advisories

Ubuntu

OpenJDK vulnerabilities↗2009-08-11

▶

Red Hat

Java Web Start Buffer unpack200 processing integer overflow (6830335)↗2009-08-05

▶

💬Community

Bugzilla

CVE-2009-2675 Java Web Start Buffer unpack200 processing integer overflow (6830335)↗2009-07-21

▶