CVE-2013-1489

{"id": "CVE-2013-1489", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2013-01-31T14:55:01.903", "references": [{"url": "http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53", "source": "secalert_us@oracle.com"}, {"url": "http://marc.info/?l=bugtraq&m=136439120408139&w=2", "source": "secalert_us@oracle.com"}, {"url": "http://marc.info/?l=bugtraq&m=136439120408139&w=2", "source": "secalert_us@oracle.com"}, {"url": "http://marc.info/?l=bugtraq&m=136733161405818&w=2", "source": "secalert_us@oracle.com"}, {"url": "http://marc.info/?l=bugtraq&m=136733161405818&w=2", "source": "secalert_us@oracle.com"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0237.html", "source": "secalert_us@oracle.com"}, {"url": "http://seclists.org/fulldisclosure/2013/Jan/241", "source": "secalert_us@oracle.com"}, {"url": "http://thenextweb.com/insider/2013/01/28/new-vulnerability-bypasses-oracles-attempt-to-stop-malware-drive-by-downloads-via-java-applets/", "source": "secalert_us@oracle.com"}, {"url": "http://www.informationweek.com/security/application-security/java-security-work-remains-bug-hunter-sa/240147150", "source": "secalert_us@oracle.com"}, {"url": "http://www.kb.cert.org/vuls/id/858729", "tags": ["US Government Resource"], "source": "secalert_us@oracle.com"}, {"url": "http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html", "tags": ["Vendor Advisory"], "source": "secalert_us@oracle.com"}, {"url": "http://www.scmagazine.com.au/News/330453%2Cjava-still-unsafe-new-flaws-discovered.aspx", "source": "secalert_us@oracle.com"}, {"url": "http://www.us-cert.gov/cas/techalerts/TA13-032A.html", "tags": ["US Government Resource"], "source": "secalert_us@oracle.com"}, {"url": "http://www.zdnet.com/java-update-doesnt-prevent-silent-exploits-at-all-7000010422/", "source": "secalert_us@oracle.com"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15906", "source": "secalert_us@oracle.com"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19171", "source": "secalert_us@oracle.com"}, {"url": "http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://marc.info/?l=bugtraq&m=136439120408139&w=2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://marc.info/?l=bugtraq&m=136439120408139&w=2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://marc.info/?l=bugtraq&m=136733161405818&w=2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://marc.info/?l=bugtraq&m=136733161405818&w=2", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0237.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://seclists.org/fulldisclosure/2013/Jan/241", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://thenextweb.com/insider/2013/01/28/new-vulnerability-bypasses-oracles-attempt-to-stop-malware-drive-by-downloads-via-java-applets/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.informationweek.com/security/application-security/java-security-work-remains-bug-hunter-sa/240147150", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.kb.cert.org/vuls/id/858729", "tags": ["US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.scmagazine.com.au/News/330453%2Cjava-still-unsafe-new-flaws-discovered.aspx", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.us-cert.gov/cas/techalerts/TA13-032A.html", "tags": ["US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.zdnet.com/java-update-doesnt-prevent-silent-exploits-at-all-7000010422/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15906", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19171", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the \"Very High\" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka \"Issue 53\" and the \"Java Security Slider\" vulnerability."}, {"lang": "es", "value": "Una Vulnerabilidad no especificada en el componente Java Runtime Environment (JRE) en Java SE versi\u00f3n 7 Update 10 y Update 11 de Oracle, cuando se ejecuta en Windows con Internet Explorer, Firefox, Opera y Google Chrome, permite a los atacantes remotos omitir el nivel de seguridad \"Very High\" del Panel de Control de Java y ejecutar c\u00f3digo Java no firmado sin consultar al usuario por medio de vectores desconocidos, tambi\u00e9n se conoce como \"Issue 53\" y la vulnerabilidad \"Java Security Slider\"."}], "lastModified": "2024-11-21T01:49:42.760", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "1C74FCFD-B3D1-48D5-9CD0-99DE675B8643"}, {"criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "88BF7EF1-A70B-4BA3-A564-9E14ECFD098A"}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "70E771E8-F2A9-4A8D-BD7A-B2D69828675B"}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "9752AB75-1457-4A6A-A310-29410A0905C2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:chrome:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "39B565E1-C2F1-44FC-A517-E3130332B17C"}, {"criteria": "cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C37BA825-679F-4257-9F2B-CE2318B75396"}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "14E6A30E-7577-4569-9309-53A0AF7FE3AC"}, {"criteria": "cpe:2.3:a:opera:opera_browser:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4545786D-3129-4D92-B218-F4A92428ED48"}], "operator": "OR"}], "operator": "AND"}], "evaluatorComment": "Per: http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html\r\n\r\n\"This issue (CVE-2013-1489) has been discussed publicly and is sometimes known as the \"Java Security Slider vulnerability\". It has a CVSS of 0 because it does not directly result in an exploitation, but may be combined with other vulnerabilities to allow blind exploitation. When the Security Slider is set to the default (high) all unsigned applets must be authorized via a dialog box by a browser user in order to execute. This provides the browser operator the opportunity to prevent execution of suspicious applets that may result in successful exploits. However, when CVE-2013-1489 is combined with vulnerabilities that can be used to cause direct impacts, the effect can be that the impact can be caused \"silently\" without the authorization dialog box.\"", "sourceIdentifier": "secalert_us@oracle.com"}