Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:62161191
HistoryJul 28, 2020 - 12:00 a.m.

JVN#62161191: JavaFX WebEngine does not properly restrict Java method execution

2020-07-2800:00:00
Japan Vulnerability Notes
jvn.jp
41

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.041 Low

EPSS

Percentile

92.2%

JSON

JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10.
Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community.

JavaFX WebEngine component is capable of web content rendering, and possible to be configured to allow JavaScript code to execute Java methods.
WebEngine component does not properly restrict Java methods execution(CWE-470).
This vulnerability is similar to CVE-2012-6636 of Android WebView component.

Impact

When a JavaFX application renders crafted web contents, an arbitrary Java code may be executed with the application’s privilege.

Solution

Update the software
JavaFX application developers should update their applications with the latest version of JavaFX library.
JavaFX application users should update their Java execution environment to the latest version.

JavaFX library in OracleJDK 8u251 and JavaFX 14.0.1 restrict a number of Java methods callable from JavaScript code.
Please refer to release notes for details.

Products Affected

  • OracleJDK 8 versions prior to update 251
  • JavaFX versions prior to 14.0.1

Related

exploitpack 1
seebug 1
exploitdb 1
cve 4
cvelist 4
nvd 4
zdt 1
packetstorm 1
android 1
ubuntucve 1
prion 4
lenovo 2
exploitpack
exploitpack
Boat Browser 8.08.0.1 - Remote Code Execution
2014-07-16 00:00:00
seebug
seebug
Boat Browser 8.0 and 8.0.1 - Remote Code Execution Vulnerability
2014-07-17 00:00:00
exploitdb
exploitdb
Boat Browser 8.0/8.0.1 - Remote Code Execution
2014-07-16 00:00:00
cve
cve
CVE-2014-4968
2020-02-12 01:15:10
CVE-2014-0514
2014-04-15 23:13:14
CVE-2013-4710
2014-03-03 04:50:46
cvelist
cvelist
CVE-2012-6636
2014-03-03 02:00:00
CVE-2014-0514
2014-04-15 20:00:00
CVE-2013-4710
2014-03-03 02:00:00
nvd
nvd
CVE-2012-6636
2014-03-03 04:50:46
CVE-2013-4710
2014-03-03 04:50:46
CVE-2014-0514
2014-04-15 23:13:14
zdt
zdt
Android 4.2 Browser and WebView - addJavascriptInterface Code Execution Exploit
2017-03-23 00:00:00
packetstorm
packetstorm
Boat Browser 8.0 / 8.0.1 Remote Code Execution
2014-07-16 00:00:00
android
android
JavaScript to Java
2012-12-21 00:00:00
ubuntucve
ubuntucve
CVE-2012-6636
2014-03-03 00:00:00
prion
prion
Design/Logic Flaw
2014-04-15 23:13:00
Server side request forgery (ssrf)
2014-03-03 04:50:00
Design/Logic Flaw
2014-03-03 04:50:00
lenovo
lenovo
SHAREit for Android Vulnerabilities
2017-05-08 00:00:00
SHAREit for Android Vulnerabilities - Lenovo Support US
2017-05-08 00:00:00

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.041 Low

EPSS

Percentile

92.2%

JSON
Related for JVN:62161191
exploitpack1seebug1exploitdb1cve4cvelist4nvd4zdt1packetstorm1android1ubuntucve1prion4lenovo2