CVE-2013-4578 — Injection in Oracle JDK

CWE-74 — Injection5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 47.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle JDK Oracle JRE

Timeline

PublishedDec 29

Latest updateMay 14

Description

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDoracle/jdk1.7.0+1

▶NVDoracle/jre1.7.0+1

Patches

Patch: hg.openjdk.java.net ↗Patch: access.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-6xg2-jpwh-hh9f: jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode↗2022-05-14

▶

CVEList

CVE-2013-4578: jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode↗2017-12-29

▶

📋Vendor Advisories

Red Hat

OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars↗2014-01-14

▶

💬Community

Bugzilla

CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars↗2013-11-18

▶