ID CVE-2007-3922
Summary Unspecified vulnerability in the Java Runtime Environment (JRE) Applet Class Loader in Sun JDK and JRE 5.0 Update 11 and earlier, 6 through 6 Update 1, and SDK and JRE 1.4.2_14 and earlier, allows remote attackers to violate the security model for an applet's outbound connections by connecting to certain localhost services running on the machine that loaded the applet.
References
Vulnerable Configurations
  • cpe:2.3:a:sun:jdk:1.5.0:update9:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.5.0:update9:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.5.0:update1:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.5.0:update1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4.2:update11:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4.2:update11:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update11:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update11:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.0:update1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.0:update1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.3.1:update1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.3.1:update1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4.1:update1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4.1:update1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.4.2:update1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.4.2:update1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update1:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:-:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:-:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.1.8_007:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.1.8_007:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.2.2_010:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.2.2_010:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.2.2_10:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.2.2_10:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.2.2_14:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.2.2_14:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.0_01:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.0_01:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.0_02:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.0_02:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.0_03:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.0_03:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.0_04:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.0_04:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.0_05:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.0_05:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_01:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_01:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_01a:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_01a:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_02:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_02:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_03:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_03:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_04:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_04:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_05:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_05:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_06:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_06:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_07:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_07:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_08:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_08:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_09:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_09:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_10:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_10:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_11:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_11:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_12:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_12:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_13:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_13:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_14:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_14:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_15:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_15:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_16:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_16:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_17:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_17:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_18:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_18:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_19:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_19:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_20:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_20:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_21:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_21:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_22:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_22:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_23:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_23:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_24:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_24:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_25:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_25:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_26:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_26:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_27:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_27:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3.1_28:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3.1_28:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3_02:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3_02:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.3_05:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.3_05:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_1:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_1:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_02:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_02:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_2:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_2:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_03:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_03:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_3:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_3:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_04:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_04:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_4:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_4:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_5:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_5:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_6:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_6:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_7:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_7:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_08:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_08:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_8:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_8:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_09:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_09:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_9:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_9:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_10:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_10:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_11:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_11:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_12:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_12:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_13:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_13:*:*:*:*:*:*:*
  • cpe:2.3:a:sun:sdk:1.4.2_14:*:*:*:*:*:*:*
    cpe:2.3:a:sun:sdk:1.4.2_14:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 29-09-2017 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
oval via4
accepted 2010-09-06T04:03:10.375-04:00
class vulnerability
contributors
name Aharon Chernin
organization SCAP.com, LLC
description Unspecified vulnerability in the Java Runtime Environment (JRE) Applet Class Loader in Sun JDK and JRE 5.0 Update 11 and earlier, 6 through 6 Update 1, and SDK and JRE 1.4.2_14 and earlier, allows remote attackers to violate the security model for an applet's outbound connections by connecting to certain localhost services running on the machine that loaded the applet.
family unix
id oval:org.mitre.oval:def:10387
status accepted
submitted 2010-07-09T03:56:16-04:00
title Unspecified vulnerability in the Java Runtime Environment (JRE) Applet Class Loader in Sun JDK and JRE 5.0 Update 11 and earlier, 6 through 6 Update 1, and SDK and JRE 1.4.2_14 and earlier, allows remote attackers to violate the security model for an applet's outbound connections by connecting to certain localhost services running on the machine that loaded the applet.
version 6
redhat via4
advisories
  • rhsa
    id RHSA-2007:0818
  • rhsa
    id RHSA-2007:0829
  • rhsa
    id RHSA-2008:0133
rpms
  • java-1.5.0-sun-0:1.5.0.12-1jpp.2.el4
  • java-1.5.0-sun-demo-0:1.5.0.12-1jpp.2.el4
  • java-1.5.0-sun-devel-0:1.5.0.12-1jpp.2.el4
  • java-1.5.0-sun-jdbc-0:1.5.0.12-1jpp.2.el4
  • java-1.5.0-sun-plugin-0:1.5.0.12-1jpp.2.el4
  • java-1.5.0-sun-src-0:1.5.0.12-1jpp.2.el4
  • java-1.5.0-ibm-1:1.5.0.5-1jpp.0.1.el5
  • java-1.5.0-ibm-1:1.5.0.5-1jpp.2.el4
  • java-1.5.0-ibm-demo-1:1.5.0.5-1jpp.0.1.el5
  • java-1.5.0-ibm-demo-1:1.5.0.5-1jpp.2.el4
  • java-1.5.0-ibm-devel-1:1.5.0.5-1jpp.0.1.el5
  • java-1.5.0-ibm-devel-1:1.5.0.5-1jpp.2.el4
  • java-1.5.0-ibm-javacomm-1:1.5.0.5-1jpp.0.1.el5
  • java-1.5.0-ibm-javacomm-1:1.5.0.5-1jpp.2.el4
  • java-1.5.0-ibm-jdbc-1:1.5.0.5-1jpp.0.1.el5
  • java-1.5.0-ibm-jdbc-1:1.5.0.5-1jpp.2.el4
  • java-1.5.0-ibm-plugin-1:1.5.0.5-1jpp.0.1.el5
  • java-1.5.0-ibm-plugin-1:1.5.0.5-1jpp.2.el4
  • java-1.5.0-ibm-src-1:1.5.0.5-1jpp.0.1.el5
  • java-1.5.0-ibm-src-1:1.5.0.5-1jpp.2.el4
  • IBMJava2-JRE-1:1.3.1-17
  • IBMJava2-SDK-1:1.3.1-17
refmap via4
apple APPLE-SA-2007-12-14
bea BEA07-177.00
bid 25054
confirm http://support.avaya.com/elmodocs2/security/ASA-2007-322.htm
gentoo GLSA-200709-15
hp
  • HPSBMA02288
  • SSRT071465
misc http://docs.info.apple.com/article.html?artnum=307177
sectrack 1018428
secunia
  • 26314
  • 26369
  • 26631
  • 26645
  • 26933
  • 27266
  • 27635
  • 28115
  • 30805
slackware SSA:2007-243-01
sunalert 102995
suse SUSE-SA:2007:056
vupen
  • ADV-2007-2573
  • ADV-2007-3009
  • ADV-2007-3861
  • ADV-2007-4224
xf sun-java-class-unauthorized-access(35491)
Last major update 29-09-2017 - 01:29
Published 21-07-2007 - 00:30
Last modified 29-09-2017 - 01:29
Back to Top