PT-2009-6091 · Sun+1 · Java Se+1

Peter Csepely

Published

2009-11-05

Updated

2017-09-19

CVE-2009-3866

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Sun Java SE versions prior to JDK and JRE 6 Update 17

Description The issue concerns the Java Web Start Installer in Sun Java SE, which does not properly utilize security model permissions when removing installer extensions. This allows remote attackers to execute arbitrary code by modifying a certain JNLP file to have a URL field that points to an unintended trusted application.

Recommendations For versions prior to JDK and JRE 6 Update 17, update to JDK and JRE 6 Update 17 or later to resolve the issue.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

CVE-2009-3866

RHSA-2009:1560

RHSA-2009:1694

RHSA-2010:0043

Affected Products

Java Platform

Java Se

PT-2009-6091 · Sun+1 · Java Se+1

CVE-2009-3866

Weakness Enumeration

Related Identifiers

Affected Products

References · 22