Vulnerability Name:

CCN-9631

Published:2002-07-17
Updated:2002-07-17
Summary:Sun Java Web Start could allow a remote attacker to execute arbitrary code on the system. Java Web Start stores .jnlp files in a known location in the Java Web Start directory. A remote attacker could create a malicious Web page that could cause a Java Web Start .jnlp file to be automatically downloaded to the victim's computer. Malicious code within the downloaded .jnlp file could then be executed by calling the file from within the Web page.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: BugTraq Mailing List, Wed Jul 17 2002 - 18:41:38 CDT
Java webstart also allows execution of arbitrary code

Source: CCN
Type: BID-5263
Sun Java Web Start JNLP Predictable File Location Vulnerability

Source: XF
Type: UNKNOWN
webstart-jnlp-code-execution(9631)

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:sun:java_web_start:1.0.1_01:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0.1_02:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sun java web start 1.0.1_01
    sun java web start 1.0.1
    sun java web start 1.0
    sun java web start 1.0.1_02