Vulnerability Name:

CVE-2006-4302 (CCN-28621)

Assigned:2006-08-21
Published:2006-08-21
Updated:2011-10-11
Summary:The Java Plug-in J2SE 1.3.0_02 through 5.0 Update 5, and Java Web Start 1.0 through 1.2 and J2SE 1.4.2 through 5.0 Update 5, allows remote attackers to exploit vulnerabilities by specifying a JRE version that contain vulnerabilities.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2006-4302

Source: CCN
Type: SA21570
Java Plugin and Web Start Version Specification Security Issue

Source: SECUNIA
Type: Patch, Vendor Advisory
21570

Source: CCN
Type: SECTRACK ID: 1016732
Java Plug-in May Let Remote Users Exploit Old Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1016732

Source: CCN
Type: SECTRACK ID: 1016733
Java Web Start May Let Remote Users Exploit Old Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1016733

Source: CCN
Type: Sun Alert ID: 102557
Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE

Source: SUNALERT
Type: Patch
102557

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2006-205.htm

Source: OSVDB
Type: UNKNOWN
28109

Source: CCN
Type: OSVDB ID: 28109
Sun Java Plugin and Web Start Version Specification Weakness

Source: BUGTRAQ
Type: UNKNOWN
20041126 Java version downgrading proof-of-concept

Source: BID
Type: UNKNOWN
11757

Source: CCN
Type: BID-11757
Sun Java Applet Invocation Version Specification Weakness

Source: BID
Type: UNKNOWN
8879

Source: CCN
Type: BID-8879
Sun Java Virtual Machine Slash Path Security Model Circumvention Vulnerability

Source: VUPEN
Type: Vendor Advisory
ADV-2006-3354

Source: XF
Type: UNKNOWN
java-jre-security-bypass(28621)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sun:j2se:1.3.0_02:*:sdk:*:*:*:*:*
  • OR cpe:/a:sun:j2se:1.4.2:*:sdk:*:*:*:*:*
  • OR cpe:/a:sun:j2se:5.0:*:sdk:*:*:*:*:*
  • OR cpe:/a:sun:j2se:5.0_update1:*:sdk:*:*:*:*:*
  • OR cpe:/a:sun:j2se:5.0_update5:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0.1_01:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0.1_02:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sun:java_web_start:1.0.1_01:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.0.1_02:*:*:*:*:*:*:*
  • OR cpe:/a:sun:java_web_start:1.2:*:*:*:*:*:*:*
  • OR cpe:/a:sun:j2se:1.4.2::sdk:*:*:*:*:*
  • OR cpe:/a:sun:j2se:1.3.0_02::sdk:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sun j2se 1.3.0_02
    sun j2se 1.4.2
    sun j2se 5.0
    sun j2se 5.0_update1
    sun j2se 5.0_update5
    sun java web start 1.0
    sun java web start 1.0.1
    sun java web start 1.0.1_01
    sun java web start 1.0.1_02
    sun java web start 1.2
    sun java web start 1.0.1_01
    sun java web start 1.0.1
    sun java web start 1.0
    sun java web start 1.0.1_02
    sun java web start 1.2
    sun j2se 1.4.2
    sun j2se 1.3.0_02