Home > Vulnerability Database > CVE-2013-0401

Mend.io Vulnerability Database

CVE-2013-0401

Date: March 8, 2013

The Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, 6 Update 43 and earlier, and 5.0 Update 41 and earlier; and OpenJDK 6 and 7; allows remote attackers to execute arbitrary code via vectors related to AWT, as demonstrated by Ben Murphy during a Pwn2Own competition at CanSecWest 2013. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to invocation of the system class loader by the sun.awt.datatransfer.ClassLoaderObjectInputStream class, which allows remote attackers to bypass Java sandbox restrictions.

Severity Score

9.8

Related Resources (34)

Url: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022796.html

Url: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0124

Url: http://rhn.redhat.com/errata/RHSA-2013-1456.html

Url: http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

Url: http://security.gentoo.org/glsa/glsa-201406-32.xml

Url: http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2013:145

Url: http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/31c782610044

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2013:161

Url: http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/

Url: https://access.redhat.com/security/cve/CVE-2013-0401

Url: http://www.ubuntu.com/usn/USN-1806-1

Url: http://lists.opensuse.org/opensuse-security-announce/2013-06/msg00001.html

Url: http://blog.fuseyism.com/index.php/2013/04/25/security-icedtea-1-11-11-1-12-5-for-openjdk-6-released/

Url: https://twitter.com/thezdi/status/309784608508100608

Url: http://rhn.redhat.com/errata/RHSA-2013-0752.html

Url: http://www.us-cert.gov/ncas/alerts/TA13-107A

Url: http://lists.opensuse.org/opensuse-updates/2013-05/msg00017.html

Url: https://bugzilla.redhat.com/show_bug.cgi?id=920245

Url: http://marc.info/?l=bugtraq&m=137283787217316&w=2

Url: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157

Url: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130

Url: http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00007.html

Url: http://rhn.redhat.com/errata/RHSA-2013-1455.html

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19641

Url: http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16297

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19463

Url: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880

Url: http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00013.html

Url: http://rhn.redhat.com/errata/RHSA-2013-0758.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2013-0401

Url: http://rhn.redhat.com/errata/RHSA-2013-0757.html

Url: https://www.mend.io/vulnerability-database/CVE-2013-0401

Severity Score

9.8

Weakness Type (CWE)

Code Injection

CWE-94

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	10.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	COMPLETE
Integrity (I):	COMPLETE
Availability (A):	COMPLETE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2013-0401

Date: March 8, 2013

Severity Score

Related Resources (34)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?