CVE-2012-4681
CVE-2012-4681
In short
Java SE 7 and earlier has a critical security flaw that allows attackers to run malicious code through a crafted applet by bypassing Java's security protections. This happens because the applet can access restricted system classes and modify private fields, making it a serious threat.
Technical detail
CVE-2012-4681 exploits flaws in Java's SecurityManager by using com.sun.beans.finder.ClassFinder.findClass with forName exceptions to access restricted sun.* packages, combined with reflection to invoke getField on trusted callers and modify private fields. Remote vector requires applet execution; impact is arbitrary code execution with user privileges (CVSS 9.8). This was actively exploited in August 2012.
Summary generated and translated by AI from the official description.
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.