Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2013-2423

Published: 17/04/2013 Updated: 26/04/2024
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 435
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Jre

Vulnerability Summary

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and previous versions, and OpenJDK 7, allows remote malicious users to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote malicious users to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

oracle jre 1.7.0

opensuse opensuse 12.3

canonical ubuntu linux 12.10

Vendor Advisories

Ubuntu Security Notice: openjdk-7 vulnerabilities
Several security issues were fixed in OpenJDK 7 ...
Red Hat: Important: java-1.7.0-openjdk security update
Synopsis Important: java-170-openjdk security update Type/Severity Security Advisory: Important Topic Updated java-170-openjdk packages that fix various security issues arenow available for Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as havingimportant security im ...
Red Hat: Critical: java-1.7.0-oracle security update
Synopsis Critical: java-170-oracle security update Type/Severity Security Advisory: Critical Topic Updated java-170-oracle packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 5 and 6 SupplementaryThe Red Hat Security Response Team has rated this update as having crit ...
Red Hat: Critical: java-1.7.0-openjdk security update
Synopsis Critical: java-170-openjdk security update Type/Severity Security Advisory: Critical Topic Updated java-170-openjdk packages that fix various security issues arenow available for Red Hat Enterprise Linux 6The Red Hat Security Response Team has rated this update as having criticalsecurity impac ...
Amazon Linux AMI: ALAS-2013-183
Multiple flaws were discovered in the font layout engine in the 2D component An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384) Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI compone ...
Red Hat: CVE-2013-2423
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot NOTE: the previous information is from the April 2013 CPU Oracle has not commented on claims from the original researcher that this ...

Exploits

Exploit DB: Java Applet - Reflection Type Confusion Remote Code Execution (Metasploit)
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # web site for more information on licensing and terms of use # metasploitcom/ ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking incl ...

Recent Articles

Investigation Report for the September 2014 Equation malware detection incident in the US
Securelist • Kaspersky Lab • 16 Nov 2017

In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were tr...

Read more...
Java under attack – the evolution of exploits in 2012-2013
Securelist • Kaspersky Lab • 30 Oct 2013

One of the biggest problems facing the IT security industry is the use of vulnerabilities in legitimate software to launch malware attacks. Malicious programs can use these vulnerabilities to infect a computer without attracting the attention of the user – and, in some cases, without triggering an alert from security software. That’s why cyber criminals prefer these attacks, known as exploits, over other infection methods. Unlike social engineering, which can be hit or miss, the use of vulne...

Read more...
Central Tibetan Administration Website Compromised
Securelist • Kurt Baumgartner • 12 Aug 2013

A snippet of code on the Central Tibetan Administration website redirects CN speaking visitors to a Java exploit that drops an APT-related backdoor. For some context, the site claims the administration itself as “…the Central Tibetan Administration (CTA) of His Holiness the Dalai Lama, this is the continuation of the government of independent Tibet.” The selection of placement for the malicious code is fairly extraordinary, so let’s dive in. The attack itself is precisely targeted, as an...

Read more...

References

NVD-CWE-noinfohttp://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.htmlhttp://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0http://blog.spiderlabs.com/2013/04/java-is-so-confusing.htmlhttp://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3fhttp://rhn.redhat.com/errata/RHSA-2013-0752.htmlhttp://www.ubuntu.com/usn/USN-1806-1http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/http://rhn.redhat.com/errata/RHSA-2013-0757.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=952398http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.htmlhttp://www.us-cert.gov/ncas/alerts/TA13-107Ahttp://www.exploit-db.com/exploits/24976http://www.mandriva.com/security/advisories?name=MDVSA-2013:161https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130http://security.gentoo.org/glsa/glsa-201406-32.xmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700https://usn.ubuntu.com/1806-1/https://nvd.nist.govhttps://www.exploit-db.com/exploits/24976/https://access.redhat.com/security/cve/cve-2013-2423
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
encryptionCVE-2024-4331CVE-2024-26925arbitrary codeCVE-2006-4304CVE-2024-25458CVE-2024-27077reflected XSSCVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook