Vulnerability Details : CVE-2009-2672
The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to browser cookies by untrusted (1) applets and (2) Java Web Start applications, which allows remote attackers to hijack web sessions via unspecified vectors.
Exploit prediction scoring system (EPSS) score for CVE-2009-2672
Probability of exploitation activity in the next 30 days: 3.66%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 90 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-2672
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2009-2672
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-2672
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/52337
-
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
Page not found | Oracle
-
http://marc.info/?l=bugtraq&m=125787273209737&w=2
'[security bulletin] HPSBUX02476 SSRT090250 rev.1 - HP-UX Running Java, Remote Increase in Privilege,' - MARC
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_20
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00003.html
-
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
Patch;Vendor Advisory
-
http://www.vupen.com/english/advisories/2009/2543
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
- http://java.sun.com/javase/6/webnotes/6u15.html
-
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
VMSA-2009-0016.6
-
http://www.vupen.com/english/advisories/2009/3316
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
- http://www.securityfocus.com/bid/35943
-
https://rhn.redhat.com/errata/RHSA-2009-1199.html
RHSA-2009:1199 - Security Advisory - Red Hat Customer Portal
-
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
Oracle Updates for Multiple Vulnerabilities | CISAUS Government Resource
- http://www.securitytracker.com/id?1022659
-
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:016 - openSUSE Security Announce - openSUSE Mailing Lists
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7723
-
https://rhn.redhat.com/errata/RHSA-2009-1201.html
RHSA-2009:1201 - Security Advisory - Red Hat Customer Portal
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263409-1
Patch;Vendor Advisory
- http://security.gentoo.org/glsa/glsa-200911-02.xml
- http://www.securityfocus.com/archive/1/507985/100/0/threaded
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9359
-
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
[security-announce] SUSE Security Announcement: IBM Java 6 (SUSE-SA:2009:053) - openSUSE Security Announce - openSUSE Mailing Lists
-
https://rhn.redhat.com/errata/RHSA-2009-1200.html
RHSA-2009:1200 - Security Advisory - Red Hat Customer Portal
Products affected by CVE-2009-2672
- cpe:2.3:a:sun:jdk:*:update_13:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_13:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_12:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_9:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_9:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_15:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_14:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_17:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:5.0:update_16:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_12:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:6:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:*:update_13:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_12:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_9:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_13:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_14:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_9:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_15:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_12:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_16:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_17:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:6:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:5.0:update_19:*:*:*:*:*:*