{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-04-16T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01.000Z", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"name": "GLSA-201406-32", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml"}, {"tags": ["x_refsource_MISC"], "url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0"}, {"name": "TA13-107A", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130"}, {"name": "RHSA-2013:0757", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html"}, {"tags": ["x_refsource_MISC"], "url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f"}, {"name": "24976", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "http://www.exploit-db.com/exploits/24976"}, {"name": "MDVSA-2013:161", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161"}, {"name": "openSUSE-SU-2013:0964", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html"}, {"name": "RHSA-2013:0752", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html"}, {"name": "USN-1806-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1806-1"}, {"tags": ["x_refsource_MISC"], "url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398"}, {"name": "oval:org.mitre.oval:def:16700", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2013-2423", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "GLSA-201406-32", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml"}, {"name": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0", "refsource": "MISC", "url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0"}, {"name": "TA13-107A", "refsource": "CERT", "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A"}, {"name": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130", "refsource": "CONFIRM", "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130"}, {"name": "RHSA-2013:0757", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html"}, {"name": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f", "refsource": "MISC", "url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f"}, {"name": "24976", "refsource": "EXPLOIT-DB", "url": "http://www.exploit-db.com/exploits/24976"}, {"name": "MDVSA-2013:161", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161"}, {"name": "openSUSE-SU-2013:0964", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html"}, {"name": "RHSA-2013:0752", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html"}, {"name": "USN-1806-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-1806-1"}, {"name": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html", "refsource": "MISC", "url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=952398", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398"}, {"name": "oval:org.mitre.oval:def:16700", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700"}, {"name": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"}, {"name": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/", "refsource": "CONFIRM", "url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T15:36:46.423Z"}, "title": "CVE Program Container", "references": [{"name": "GLSA-201406-32", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0"}, {"name": "TA13-107A", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130"}, {"name": "RHSA-2013:0757", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f"}, {"name": "24976", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "http://www.exploit-db.com/exploits/24976"}, {"name": "MDVSA-2013:161", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161"}, {"name": "openSUSE-SU-2013:0964", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html"}, {"name": "RHSA-2013:0752", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html"}, {"name": "USN-1806-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1806-1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398"}, {"name": "oval:org.mitre.oval:def:16700", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-02-10T19:49:17.531608Z", "id": "CVE-2013-2423", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-05-25", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2013-2423"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-10T19:49:30.266Z"}}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2013-2423", "datePublished": "2013-04-17T15:00:00.000Z", "dateReserved": "2013-03-05T00:00:00.000Z", "dateUpdated": "2025-02-10T19:49:30.266Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://security.gentoo.org/glsa/glsa-201406-32.xml", "name": "GLSA-201406-32", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"]}, {"url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.us-cert.gov/ncas/alerts/TA13-107A", "name": "TA13-107A", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"]}, {"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html", "name": "RHSA-2013:0757", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://www.exploit-db.com/exploits/24976", "name": "24976", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"]}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161", "name": "MDVSA-2013:161", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html", "name": "openSUSE-SU-2013:0964", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"]}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html", "name": "RHSA-2013:0752", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "http://www.ubuntu.com/usn/USN-1806-1", "name": "USN-1806-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"]}, {"url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700", "name": "oval:org.mitre.oval:def:16700", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"]}, {"url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T15:36:46.423Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2013-2423", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-10T19:49:17.531608Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-05-25", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2013-2423"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-10T19:49:09.254Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-04-16T00:00:00.000Z", "references": [{"url": "http://security.gentoo.org/glsa/glsa-201406-32.xml", "name": "GLSA-201406-32", "tags": ["vendor-advisory", "x_refsource_GENTOO"]}, {"url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0", "tags": ["x_refsource_MISC"]}, {"url": "http://www.us-cert.gov/ncas/alerts/TA13-107A", "name": "TA13-107A", "tags": ["third-party-advisory", "x_refsource_CERT"]}, {"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130", "tags": ["x_refsource_CONFIRM"]}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html", "name": "RHSA-2013:0757", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f", "tags": ["x_refsource_MISC"]}, {"url": "http://www.exploit-db.com/exploits/24976", "name": "24976", "tags": ["exploit", "x_refsource_EXPLOIT-DB"]}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161", "name": "MDVSA-2013:161", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"]}, {"url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html", "name": "openSUSE-SU-2013:0964", "tags": ["vendor-advisory", "x_refsource_SUSE"]}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html", "name": "RHSA-2013:0752", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "http://www.ubuntu.com/usn/USN-1806-1", "name": "USN-1806-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"]}, {"url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html", "tags": ["x_refsource_MISC"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700", "name": "oval:org.mitre.oval:def:16700", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"]}, {"url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html", "tags": ["x_refsource_CONFIRM"]}, {"url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2017-09-18T12:57:01.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "http://security.gentoo.org/glsa/glsa-201406-32.xml", "name": "GLSA-201406-32", "refsource": "GENTOO"}, {"url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0", "name": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0", "refsource": "MISC"}, {"url": "http://www.us-cert.gov/ncas/alerts/TA13-107A", "name": "TA13-107A", "refsource": "CERT"}, {"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130", "name": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130", "refsource": "CONFIRM"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html", "name": "RHSA-2013:0757", "refsource": "REDHAT"}, {"url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f", "name": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f", "refsource": "MISC"}, {"url": "http://www.exploit-db.com/exploits/24976", "name": "24976", "refsource": "EXPLOIT-DB"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161", "name": "MDVSA-2013:161", "refsource": "MANDRIVA"}, {"url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html", "name": "openSUSE-SU-2013:0964", "refsource": "SUSE"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html", "name": "RHSA-2013:0752", "refsource": "REDHAT"}, {"url": "http://www.ubuntu.com/usn/USN-1806-1", "name": "USN-1806-1", "refsource": "UBUNTU"}, {"url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html", "name": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html", "refsource": "MISC"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=952398", "refsource": "CONFIRM"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700", "name": "oval:org.mitre.oval:def:16700", "refsource": "OVAL"}, {"url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html", "name": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html", "refsource": "CONFIRM"}, {"url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/", "name": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-2423", "STATE": "PUBLIC", "ASSIGNER": "secalert_us@oracle.com"}}}}, "cveMetadata": {"cveId": "CVE-2013-2423", "state": "PUBLISHED", "dateUpdated": "2025-02-10T19:49:30.266Z", "dateReserved": "2013-03-05T00:00:00.000Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2013-04-17T15:00:00.000Z", "assignerShortName": "oracle"}, "dataVersion": "5.1"}

{"cisaActionDue": "2022-06-15", "cisaExploitAdd": "2022-05-25", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Oracle JRE Unspecified Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*", "matchCriteriaId": "DFAA351A-93CD-46A8-A480-CE2783CCD620", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "matchCriteriaId": "F4B153FD-E20B-4909-8B10-884E48F5B590", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*", "matchCriteriaId": "F21933FB-A27C-4AF3-9811-2DE28484A5A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*", "matchCriteriaId": "B2B20041-EB5D-4FA4-AC7D-C35E7878BCFD", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*", "matchCriteriaId": "F3C3C9C7-73AE-4B1D-AA85-C7F5330A4DE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*", "matchCriteriaId": "1D8BB8D7-D5EC-42D6-BEAA-CB03D1D6513E", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "matchCriteriaId": "CB106FA9-26CE-48C5-AEA5-FD1A5454AEE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "matchCriteriaId": "5831D70B-3854-4CB8-B88D-40F1743DAEE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "matchCriteriaId": "EEB101C9-CA38-4421-BC0C-C1AD47AA2CC9", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "matchCriteriaId": "BA302DF3-ABBB-4262-B206-4C0F7B5B1E91", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "matchCriteriaId": "F9A8EBCB-5E6A-42F0-8D07-F3A3D1C850F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "matchCriteriaId": "0CD8A54E-185B-4D34-82EF-C0C05739EC12", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "matchCriteriaId": "4FFC7F0D-1F32-4235-8359-277CE41382DF", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager."}, {"lang": "es", "value": "Una vulnerabilidad no especificada en el componente Java Runtime Environment (JRE) en Java SE versi\u00f3n 7 Update 17 y anteriores, y OpenJDK versi\u00f3n 7 de Oracle, permite a los atacantes remotos afectar la integridad por medio de vectores desconocidos relacionados a HotSpot. NOTA: la informaci\u00f3n anterior es de la CPU de abril de 2013. Oracle no ha comentado sobre las afirmaciones del investigador original de que esta vulnerabilidad permite a los atacantes remotos omitir las comprobaciones de permisos mediante el m\u00e9todo MethodHandles y modificar campos finales p\u00fablicos arbitrarios mediante la reflexi\u00f3n y la confusi\u00f3n de tipos, como es demostrado usando los campos enteros y dobles para deshabilitar el administrador de seguridad."}], "id": "CVE-2013-2423", "lastModified": "2025-02-10T20:15:34.553", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2013-04-17T18:55:07.087", "references": [{"source": "secalert_us@oracle.com", "tags": ["Broken Link"], "url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/"}, {"source": "secalert_us@oracle.com", "tags": ["Not Applicable"], "url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html"}, {"source": "secalert_us@oracle.com", "tags": ["Patch"], "url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory"], "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml"}, {"source": "secalert_us@oracle.com", "tags": ["Broken Link"], "url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.exploit-db.com/exploits/24976"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-1806-1"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A"}, {"source": "secalert_us@oracle.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398"}, {"source": "secalert_us@oracle.com", "tags": ["Broken Link"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700"}, {"source": "secalert_us@oracle.com", "tags": ["Third Party Advisory"], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0752.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.exploit-db.com/exploits/24976"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:161"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-1806-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2013:0752", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "java-1.7.0-openjdk-1:1.7.0.19-2.3.9.1.el5_9", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2013-04-17T00:00:00Z"}, {"advisory": "RHSA-2013:0751", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "java-1.7.0-openjdk-1:1.7.0.19-2.3.9.1.el6_4", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2013-04-17T00:00:00Z"}, {"advisory": "RHSA-2013:0757", "cpe": "cpe:/a:redhat:rhel_extras:5", "package": "java-1.7.0-oracle-1:1.7.0.21-1jpp.1.el5", "product_name": "Supplementary for Red Hat Enterprise Linux 5", "release_date": "2013-04-18T00:00:00Z"}, {"advisory": "RHSA-2013:0822", "cpe": "cpe:/a:redhat:rhel_extras:5", "package": "java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el5_9", "product_name": "Supplementary for Red Hat Enterprise Linux 5", "release_date": "2013-05-14T00:00:00Z"}, {"advisory": "RHSA-2013:0757", "cpe": "cpe:/a:redhat:rhel_extras:6", "package": "java-1.7.0-oracle-1:1.7.0.21-1jpp.1.el6", "product_name": "Supplementary for Red Hat Enterprise Linux 6", "release_date": "2013-04-18T00:00:00Z"}, {"advisory": "RHSA-2013:0822", "cpe": "cpe:/a:redhat:rhel_extras:6", "package": "java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el6_4", "product_name": "Supplementary for Red Hat Enterprise Linux 6", "release_date": "2013-05-14T00:00:00Z"}], "bugzilla": {"description": "OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)", "id": "952398", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=952398"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "details": ["Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager."], "name": "CVE-2013-2423", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "java-1.6.0-openjdk", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "java-1.6.0-sun", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "java-1.6.0-openjdk", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "java-1.6.0-sun", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2013-04-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-2423\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-2423\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "threat_severity": "Moderate", "upstream_fix": "icedtea7 2.3.9"}