Unspecified vulnerability in the Networking component in Oracle Java SE and
Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows
remote attackers to affect confidentiality, integrity, and availability via
unknown vectors. NOTE: the previous information was obtained from the
October 2010 CPU. Oracle has not commented on claims from a reliable
downstream vendor that this is related to missing validation of request
headers in the HttpURLConnection class when they are set by applets, which
allows remote attackers to bypass the intended security policy.
Notes
Author |
Note |
sbeattie |
red hat description: HttpURLConnection did not validate request headers set by applets, which could allow remote attackers to trigger actions otherwise restricted to HTTP clients. |