Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-1423 — OS Command Injection in Oracle JDK

CWE-78 — OS Command Injection7 documents7 sources

Severity

9.3CRITICALNVD

EPSS

68.9%

top 1.36%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Oracle JDK Oracle JRE

Timeline

PublishedApr 15

Latest updateMay 2

Description

Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

▶NVDoracle/jdk1.6.0+1

▶NVDoracle/jre1.6.0+1

Patches

Patch: www.vupen.com ↗Patch: www.vupen.com ↗

🔴Vulnerability Details

GHSA

GHSA-563f-2v9h-x957: Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versio↗2022-05-02

▶

💥Exploits & PoCs

Exploit-DB

Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)↗2010-04-09

▶

Metasploit

Sun Java Web Start Plugin Command Line Argument Injection↗

▶

📋Vendor Advisories

Red Hat

Java: Java Web Start arbitrary command line injection↗2010-04-09

▶

🕵️Threat Intelligence

Zscaler

Incognito Exploit Kit | Zscaler↗2011-06-14

▶

💬Community

Bugzilla

CVE-2010-0886 CVE-2010-0887 Sun Java: Java Web Start arbitrary command line injection↗2010-04-11

▶