10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
Added: 03/04/2013
CVE: CVE-2013-0431
BID: 57726
OSVDB: 89613
Java is a programming language that compiles programs to bytecode, which is then executed inside a Java Virtual Machine. This is optimal for applications that must run on various hardware platforms, such as web applets.
Java versions prior to 7 Update 13 are vulnerable to a sandbox security bypass due to a misuse of the java.lang.reflect.Method class by the com.sun.jmx.mbeanserver.Introspector class. When combined with the MBeanInstantiator findClass vulnerability from CVE-2013-0422, this may allow an attacker to embed malicious java applets into a webpage and have a payload of their choice execute on a victim’s system while bypassing all security warnings.
Apply the updates specified in the Oracle Java SE Critical Patch Update Advisory - February 2013.
<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>
<http://support.novell.com/security/cve/CVE-2013-0431.html>
This exploit has been tested against Oracle JRE 7 Update 11 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).
Windows