CVE-2013-0401Code Injection in Oracle JDK

CWE-94Code Injection8 documents5 sources
Severity
10.0CRITICALNVD
EPSS
10.1%
top 6.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Oracle JDKOracle JRE
Timeline
PublishedMar 8
Latest updateMay 5

Description

The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loa

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages2 packages

NVDoracle/jdk1.7.0
NVDoracle/jre1.7.0

🔴Vulnerability Details

1
GHSA
GHSA-7fc2-vc87-69w8: The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 52022-05-05

📋Vendor Advisories

3
Ubuntu
OpenJDK 6 vulnerabilities2013-05-07
Ubuntu
OpenJDK 7 vulnerabilities2013-04-23
Red Hat
OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)2013-04-16

💬Community

1
Bugzilla
CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)2013-03-11
CVE-2013-0401 — Code Injection in Oracle JDK | cvebase