← back
CVE-2013-2423

CVE-2013-2423

CVSS 3.7 LOWEPSS 85.3%● KEVCWE-284
In short

A vulnerability in Java's HotSpot compiler allows attackers to bypass security restrictions and modify protected fields, potentially disabling the security manager that protects your system from malicious code.

Technical detail

An integrity vulnerability in Oracle JRE 7 Update 17 and OpenJDK 7 exists in the HotSpot component, exploitable via MethodHandles and reflection-based type confusion to bypass permission checks and modify public final fields, compromising the Java security manager without requiring authentication.

Summary generated and translated by AI from the official description.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
n/a · n/a
public PoCs found2
cve_referencewww.exploit-db.com/exploits/24976unverifiedexploitdbwww.exploit-db.com/exploits/24976unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/http://blog.spiderlabs.com/2013/04/java-is-so-confusing.htmlhttp://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3fhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00099.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0752.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0757.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=952398http://security.gentoo.org/glsa/glsa-201406-32.xmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2423http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0