ID CVE-2013-1489
Summary Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability. Per: http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html "This issue (CVE-2013-1489) has been discussed publicly and is sometimes known as the "Java Security Slider vulnerability". It has a CVSS of 0 because it does not directly result in an exploitation, but may be combined with other vulnerabilities to allow blind exploitation. When the Security Slider is set to the default (high) all unsigned applets must be authorized via a dialog box by a browser user in order to execute. This provides the browser operator the opportunity to prevent execution of suspicious applets that may result in successful exploits. However, when CVE-2013-1489 is combined with vulnerabilities that can be used to cause direct impacts, the effect can be that the impact can be caused "silently" without the authorization dialog box."
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:windows:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:windows:*:*
  • cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:windows:*:*
    cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:windows:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:windows:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:windows:*:*
  • cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:windows:*:*
    cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:windows:*:*
  • cpe:2.3:a:google:chrome:-:*:*:*:*:*:*:*
    cpe:2.3:a:google:chrome:-:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  • cpe:2.3:a:opera:opera_browser:-:*:*:*:*:*:*:*
    cpe:2.3:a:opera:opera_browser:-:*:*:*:*:*:*:*
CVSS
Base: 10.0 (as of 19-09-2017 - 01:36)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:C/I:C/A:C
oval via4
  • accepted 2013-06-10T04:00:35.215-04:00
    class vulnerability
    contributors
    name Sergey Artykhov
    organization ALTX-SOFT
    definition_extensions
    comment Java SE Runtime Environment 7 is installed
    oval oval:org.mitre.oval:def:16050
    description Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability.
    family windows
    id oval:org.mitre.oval:def:15906
    status accepted
    submitted 2013-04-22T10:26:26.748+04:00
    title Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE (subcomponent: Deployment) 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability.
    version 5
  • accepted 2015-04-20T04:00:57.263-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability.
    family unix
    id oval:org.mitre.oval:def:19171
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
    version 44
redhat via4
advisories
rhsa
id RHSA-2013:0237
refmap via4
cert TA13-032A
cert-vn VU#858729
confirm http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html
fulldisc 20130127 [SE-2012-01] An issue with new Java SE 7 security features
hp
  • HPSBMU02874
  • HPSBUX02857
  • SSRT101103
  • SSRT101184
misc
Last major update 19-09-2017 - 01:36
Published 31-01-2013 - 14:55
Back to Top