CVE-2008-5355

2008-12-0511:30:00

CWE-287

[email protected]

web.nvd.nist.gov

java

update

jre

jdk

cve-2008-5355

remote code execution

dns

man-in-the-middle

security vulnerability

7.8 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.111 Low

EPSS

Percentile

95.1%

JSON

The “Java Update” feature for Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not verify the signature of the JRE that is downloaded, which allows remote attackers to execute arbitrary code via DNS man-in-the-middle attacks.

CPENameOperatorVersion
sun:jdksun jdkeq5.0
sun:jresun jreeq6
sun:jresun jreeq1.4.2_7
sun:jresun jreeq1.4.2_16
sun:jresun jreeq5.0
sun:jresun jreeq1.4.2_4
sun:sdksun sdkeq1.4.2_10
sun:sdksun sdkeq1.4.2_12
sun:jresun jreeq1.4.2_2
sun:jdksun jdkeq6

CPE	Name	Operator	Version
sun:jdk	sun jdk	eq	5.0
sun:jre	sun jre	eq	6
sun:jre	sun jre	eq	1.4.2_7
sun:jre	sun jre	eq	1.4.2_16
sun:jre	sun jre	eq	5.0
sun:jre	sun jre	eq	1.4.2_4
sun:sdk	sun sdk	eq	1.4.2_10
sun:sdk	sun sdk	eq	1.4.2_12
sun:jre	sun jre	eq	1.4.2_2
sun:jdk	sun jdk	eq	6