Vulnerability Details : CVE-2013-2423
Public exploit exists!
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.
Threat overview for CVE-2013-2423
Top countries where our scanners detected CVE-2013-2423
Top open port discovered on systems with this issue
80
IPs affected by CVE-2013-2423 78
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2013-2423!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
CVE-2013-2423 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Oracle JRE Unspecified Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Unspecified vulnerability in hotspot for Java Runtime Environment (JRE) allows remote attackers to affect integrity.
Added on
2022-05-25
Action due date
2022-06-15
Exploit prediction scoring system (EPSS) score for CVE-2013-2423
Probability of exploitation activity in the next 30 days: 97.50%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2013-2423
-
Java Applet Reflection Type Confusion Remote Code Execution
Disclosure Date: 2013-01-10First seen: 2020-04-26exploit/multi/browser/java_jre17_reflection_typesThis module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click
CVSS scores for CVE-2013-2423
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
References for CVE-2013-2423
-
http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html
openSUSE-SU-2013:0964-1: moderate: update for java-1_7_0-openjdk
-
http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0
Java 7 Update 21 - IKVM.NET Weblog
-
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f
jdk7u/jdk7u-dev/jdk: b453d9be6b3f
-
http://www.us-cert.gov/ncas/alerts/TA13-107A
Oracle Has Released Multiple Updates for Java SE | CISAUS Government Resource
-
http://www.ubuntu.com/usn/USN-1806-1
USN-1806-1: OpenJDK 7 vulnerabilities | Ubuntu security notices
-
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130
Support/Advisories/MGASA-2013-0130 - Mageia wiki
-
http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html
404 Not Found | Trustwave
-
http://rhn.redhat.com/errata/RHSA-2013-0757.html
RHSA-2013:0757 - Security Advisory - Red Hat Customer Portal
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:161
mandriva.com
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700
Repository / Oval Repository
- http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/
-
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Oracle Java SE Critical Patch Update - April 2013Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0752.html
RHSA-2013:0752 - Security Advisory - Red Hat Customer Portal
-
http://www.exploit-db.com/exploits/24976
Java Applet - Reflection Type Confusion Remote Code Execution (Metasploit) - Multiple remote Exploit
-
https://bugzilla.redhat.com/show_bug.cgi?id=952398
952398 – (CVE-2013-2423) CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)
-
http://security.gentoo.org/glsa/glsa-201406-32.xml
IcedTea JDK: Multiple vulnerabilities (GLSA 201406-32) — Gentoo security
Products affected by CVE-2013-2423
- cpe:2.3:a:oracle:jdk:*:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:*:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*