Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-4476

10 documents8 sources

Severity

5.0MEDIUM

EPSS

45.1%

top 2.40%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

SUN JDK SUN JRE SUN SDK

Timeline

PublishedFeb 17

Latest updateMay 14

Description

The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶Mavenorg.apache.tomcat:tomcat7.0.0 — 7.0.7+2

▶NVDsun/jdk1.6.0+3

▶NVDsun/jre1.6.0+33

▶NVDsun/sdk1.4.2_29+29

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Apache Tomcat affected by infinite loop in Double.parseDouble method in Java Runtime Environment↗2022-05-14

▶

GHSA

Apache Tomcat affected by infinite loop in Double.parseDouble method in Java Runtime Environment↗2022-05-14

▶

CVEList

CVE-2010-4476: The Double↗2011-02-17

▶

💥Exploits & PoCs

Exploit-DB

Oracle Java - Floating-Point Value Denial of Service↗2011-02-01

▶

📋Vendor Advisories

Ubuntu

OpenJDK 6 vulnerabilities↗2011-03-17

▶

Ubuntu

OpenJDK 6 vulnerabilities↗2011-03-15

▶

Ubuntu

OpenJDK 6 vulnerabilities↗2011-03-01

▶

Red Hat

JDK Double.parseDouble Denial-Of-Service↗2011-02-01

▶

💬Community

Bugzilla

CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service↗2011-02-01

▶