ID CVE-2009-2671
Summary The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to discover the username of the account that invoked an untrusted (1) applet or (2) Java Web Start application via unspecified vectors.
References
Vulnerable Configurations
  • cpe:2.3:a:sun:jdk:5.0:update_1:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_10:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_10:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_11:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_11:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_12:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_12:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_13:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_13:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_14:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_14:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_15:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_15:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_16:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_16:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_17:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_17:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_2:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_2:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_3:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_3:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_4:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_4:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_5:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_5:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_6:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_6:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_7:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_7:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_8:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_8:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:5.0:update_9:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:5.0:update_9:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_1:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_10:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_10:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_11:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_11:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_12:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_12:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_2:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_2:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_3:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_3:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_4:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_4:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_5:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_5:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_6:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_6:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_7:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_7:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_8:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_8:*:*:*:*:*:*
  • cpe:2.3:a:sun:jdk:6:update_9:*:*:*:*:*:*
    cpe:2.3:a:sun:jdk:6:update_9:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_10:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_10:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_11:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_11:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_12:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_12:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_13:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_13:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_14:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_14:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_15:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_15:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_16:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_16:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_17:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_17:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_19:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_19:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_2:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_2:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_3:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_3:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_4:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_4:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_5:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_5:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_6:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_6:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_7:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_7:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_8:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_8:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:5.0:update_9:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:5.0:update_9:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_10:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_10:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_11:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_11:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_12:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_12:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_2:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_2:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_3:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_3:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_4:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_4:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_5:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_5:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_6:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_6:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_7:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_7:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_8:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_8:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:6:update_9:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:6:update_9:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 10-10-2018 - 19:41)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
oval via4
  • accepted 2013-04-29T04:11:36.374-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to discover the username of the account that invoked an untrusted (1) applet or (2) Java Web Start application via unspecified vectors.
    family unix
    id oval:org.mitre.oval:def:11115
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to discover the username of the account that invoked an untrusted (1) applet or (2) Java Web Start application via unspecified vectors.
    version 18
  • accepted 2015-04-20T04:02:37.201-04:00
    class vulnerability
    contributors
    • name Pai Peng
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to discover the username of the account that invoked an untrusted (1) applet or (2) Java Web Start application via unspecified vectors.
    family unix
    id oval:org.mitre.oval:def:8259
    status accepted
    submitted 2010-03-22T17:00:25.000-04:00
    title HP-UX Running Java, Remote Increase in Privilege, Denial of Service and Other Vulnerabilities
    version 43
redhat via4
advisories
  • rhsa
    id RHSA-2009:1199
  • rhsa
    id RHSA-2009:1200
  • rhsa
    id RHSA-2009:1201
rpms
  • java-1.6.0-openjdk-1:1.6.0.0-1.2.b09.el5
  • java-1.6.0-openjdk-demo-1:1.6.0.0-1.2.b09.el5
  • java-1.6.0-openjdk-devel-1:1.6.0.0-1.2.b09.el5
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-1.2.b09.el5
  • java-1.6.0-openjdk-src-1:1.6.0.0-1.2.b09.el5
refmap via4
apple APPLE-SA-2009-09-03-1
bid 35943
bugtraq 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components
cert TA09-294A
confirm
fedora
  • FEDORA-2009-8329
  • FEDORA-2009-8337
gentoo GLSA-200911-02
hp
  • HPSBUX02476
  • SSRT090250
mandriva MDVSA-2009:209
sectrack 1022659
secunia
  • 36162
  • 36176
  • 36180
  • 36199
  • 36248
  • 37300
  • 37386
  • 37460
sunalert 263409
suse
  • SUSE-SA:2009:043
  • SUSE-SA:2009:053
  • SUSE-SR:2009:016
vupen
  • ADV-2009-2543
  • ADV-2009-3316
xf sun-jre-socks-info-disclosure(52336)
Last major update 10-10-2018 - 19:41
Published 05-08-2009 - 19:30
Back to Top