Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-1488Code Injection in Oracle JDK

CWE-94Code Injection11 documents7 sources
Severity
10.0CRITICALNVD
NVD9.3
EPSS
86.3%
top 0.59%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Oracle JDKOracle JRE
Timeline
PublishedMar 8
Latest updateMay 17

Description

The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitrary code via unspecified vectors involving reflection, Libraries, "improper toString calls," and the JDBC driver manager, as demonstrated by James Forshaw during a Pwn2Own competition at CanSecWest 2013.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages2 packages

NVDoracle/jdk1.7.0+1
NVDoracle/jre1.7.0+1

🔴Vulnerability Details

2
GHSA
GHSA-6hc9-6xww-76p2: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote atta2022-05-17
GHSA
GHSA-f2f6-qfp8-5hcm: The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 6 and 7, allows remote attackers to execute arbitr2022-05-17

💥Exploits & PoCs

2
Exploit-DB
Java Applet - Driver Manager Privileged 'toString()' Remote Code Execution (Metasploit)2013-06-11
Metasploit
Java Applet Driver Manager Privileged toString() Remote Code Execution

📋Vendor Advisories

4
Ubuntu
OpenJDK 6 vulnerabilities2013-05-07
Ubuntu
OpenJDK 7 vulnerabilities2013-04-23
Red Hat
OpenJDK: JDBC driver manager improper toString calls (CanSecWest 2013, Libraries, 8009814)2013-04-16
Red Hat
OpenJDK: Wrapper.convert insufficient type checks (Libraries, 8009049)2013-04-16

💬Community

1
Bugzilla
CVE-2013-1488 OpenJDK: JDBC driver manager improper toString calls (CanSecWest 2013, Libraries, 8009814)2013-03-11
CVE-2013-1488 — Code Injection in Oracle JDK | cvebase