Vulnerability CVE-2007-5236 - CERT Civis.Net

Vulnerability Name:

CVE-2007-5236 (CCN-36944)

Assigned:

2007-10-03

Published:

2007-10-03

Updated:

2018-10-30

Summary:

Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier, on Windows does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read local files via an untrusted application.

CVSS v3 Severity:

3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.4 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)
4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2007-5236

Source: BEA
Type: UNKNOWN
BEA08-198.00

Source: CCN
Type: HP Security Bulletin HPSBUX02284 SSRT071483 rev.3
HP-UX Running Java JRE and JDK, Remote Unauthorized Access

Source: HP
Type: UNKNOWN
SSRT071483

Source: SUSE
Type: UNKNOWN
SUSE-SA:2008:025

Source: CCN
Type: SA27009
Sun Java JRE Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
27261

Source: SECUNIA
Type: UNKNOWN
27693

Source: SECUNIA
Type: UNKNOWN
27716

Source: SECUNIA
Type: UNKNOWN
28777

Source: CCN
Type: SA29042
BEA JRockit Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
29042

Source: SECUNIA
Type: UNKNOWN
29897

Source: CCN
Type: SA30676
VMware ESX Server update for Tomcat and Java JRE

Source: SECUNIA
Type: UNKNOWN
30676

Source: CCN
Type: SECTRACK ID: 1018770
Java Web Start Bugs Let Remote Users Read/Write Files on the Target User`s System

Source: CCN
Type: Sun Alert ID: 103073
Multiple Security Vulnerabilities in Java Web Start Relating to Local File Access

Source: SUNALERT
Type: Patch
103073

Source: CCN
Type: ASA-2007-422
Multiple Security Vulnerabilities in Java Web Start Relating to Local File Access (Sun 103073)

Source: CCN
Type: ASA-2008-049
HP-UX Running Java JRE and JDK Remote Unauthorized Access (HPSBUX02284)

Source: CONFIRM
Type: UNKNOWN
http://support.novell.com/techcenter/psdb/0c36b6416afc3868b8b1b9012955e323.html

Source: SUSE
Type: UNKNOWN
SUSE-SA:2007:055

Source: CCN
Type: OSVDB ID: 37764
Sun Java JDK / JRE on Windows Untrusted Application Arbitrary File Access

Source: BID
Type: UNKNOWN
25920

Source: CCN
Type: BID-25920
Sun Java WebStart Multiple File Access And Information Disclosure Vulnerabilities

Source: CCN
Type: VMSA-2008-0010
Updated Tomcat and Java JRE packages for VMware ESX 3.5

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/security/advisories/VMSA-2008-0010.html

Source: VUPEN
Type: UNKNOWN
ADV-2007-3895

Source: VUPEN
Type: UNKNOWN
ADV-2008-0609

Source: VUPEN
Type: UNKNOWN
ADV-2008-1856

Source: XF
Type: UNKNOWN
javaweb-unspecified-information-disclosure(36944)

Source: XF
Type: UNKNOWN
javaweb-cache-information-disclosure(36946)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:6115

Source: SUSE
Type: SUSE-SA:2007:055
Sun Java security problems

Source: SUSE
Type: SUSE-SA:2008:025
IBM Java security update

Vulnerable Configuration:

Configuration 1:

cpe:/a:sun:jdk:1.5.0:update1:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update10:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update11:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update12:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update2:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update3:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update4:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update5:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update7:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update8:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update9:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2:-:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_1:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_2:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_3:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_4:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_5:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_6:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_7:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_8:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_9:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_10:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_11:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_12:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_13:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_14:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_15:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2_21:*:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update1:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update10:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update11:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update12:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update2:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update3:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update4:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update5:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update6:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update7:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update8:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update9:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_03:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_08:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_09:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_10:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_11:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_12:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_13:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_14:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_15:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:sun:jre:1.4.2:-:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update3:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update10:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update11:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update7:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update8:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update9:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update10:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update11:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_11:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_12:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_13:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_14:*:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update1:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update12:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update2:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update3:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update4:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update5:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update7:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update8:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update9:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2:update1:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2:update2:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2:update3:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2:update4:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.4.2:update5:linux:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update1:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update12:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update2:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update4:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update5:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update6:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_03:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_08:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_09:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_10:*:*:*:*:*:*:*

OR cpe:/a:sun:sdk:1.4.2_15:*:*:*:*:*:*:*

AND

cpe:/o:hp:hp-ux:b.11.11:*:*:*:*:*:*:*

OR cpe:/o:hp:hp-ux:b.11.23:*:*:*:*:*:*:*

OR cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*

OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:*

OR cpe:/o:suse:suse_linux:10.0::oss:*:*:*:*:*

OR cpe:/o:suse:suse_linux:10.1::personal:*:*:*:*:*

OR cpe:/o:novell:suse_linux_enterprise_server:10:sp2:itanium_ia64:*:*:*:*:*

OR cpe:/o:hp:hp-ux:b.11.31:*:*:*:*:*:*:*

OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:10.2:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:10.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx_server:3.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20075236	V	CVE-2007-5236	2022-05-20
oval:org.opensuse.security:def:31750	P	Security update for java-1_7_1-ibm (Moderate) (in QA)	2022-01-04
oval:org.opensuse.security:def:31701	P	Security update for pcre (Moderate)	2021-11-10
oval:org.opensuse.security:def:42127	P	Security update for glibc (Moderate)	2021-10-12
oval:org.opensuse.security:def:31274	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)	2021-09-23
oval:org.opensuse.security:def:31253	P	Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)	2021-08-25
oval:org.opensuse.security:def:31645	P	Security update for ovmf (Important)	2021-06-22
oval:org.opensuse.security:def:31642	P	Security update for webkit2gtk3 (Important)	2021-06-17
oval:org.opensuse.security:def:31200	P	Security update for java-1_8_0-openjdk (Moderate)	2021-06-15
oval:org.opensuse.security:def:31188	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP3) (Important)	2021-06-04
oval:org.opensuse.security:def:31189	P	Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)	2021-06-04
oval:org.opensuse.security:def:26047	P	Security update for xen (Important)	2021-05-12
oval:org.opensuse.security:def:31345	P	Security update for krb5-appl (Important)	2021-02-19
oval:org.opensuse.security:def:32008	P	Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)	2020-12-07
oval:org.opensuse.security:def:41974	P	java-1_4_2-ibm-1.4.2_sr13.3-1.1.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35567	P	java-1_4_2-ibm-1.4.2_sr13.3-1.1.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:35720	P	java-1_4_2-ibm-1.4.2_sr13.10-0.4.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:31406	P	Security update for perl-PlRPC (Moderate)	2020-12-01
oval:org.opensuse.security:def:31964	P	Security update for icu (Moderate)	2020-12-01
oval:org.opensuse.security:def:25194	P	Security update for adns (Important)	2020-12-01
oval:org.opensuse.security:def:25836	P	Security update for LibreOffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:25272	P	Security update for vino (Moderate)	2020-12-01
oval:org.opensuse.security:def:25901	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:31489	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:32532	P	java-1_4_2-ibm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31498	P	Security update for python-numpy (Important)	2020-12-01
oval:org.opensuse.security:def:25322	P	Security update for tigervnc (Critical)	2020-12-01
oval:org.opensuse.security:def:25850	P	Security update for libreoffice (Low)	2020-12-01
oval:org.opensuse.security:def:25283	P	Security update for SUSE Manager Client Tools (Moderate)	2020-12-01
oval:org.opensuse.security:def:25950	P	Security update for evince (Important)	2020-12-01
oval:org.opensuse.security:def:31035	P	Security update for jpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:31555	P	Security update for sqlite3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32646	P	curl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25403	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:25894	P	Security update for gstreamer-0_10-plugins-bad (Moderate)	2020-12-01
oval:org.opensuse.security:def:25347	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:25989	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:31036	P	Security update for kdebase4-workspace	2020-12-01
oval:org.opensuse.security:def:32685	P	java-1_4_2-ibm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25460	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:26532	P	cron on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25475	P	Security update for libssh (Important)	2020-12-01
oval:org.opensuse.security:def:26003	P	Security update for yaml-cpp (Moderate)	2020-12-01
oval:org.opensuse.security:def:31047	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:31798	P	Security update for OpenEXR (Moderate)	2020-12-01
oval:org.opensuse.security:def:25544	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:26567	P	java-1_4_2-ibm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25556	P	Security update for ntp (Moderate)	2020-12-01
oval:org.opensuse.security:def:31121	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:31789	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:31854	P	Security update for cracklib (Moderate)	2020-12-01
oval:org.opensuse.security:def:25118	P	Security update for lftp (Moderate)	2020-12-01
oval:org.opensuse.security:def:25695	P	Security update for gcc9 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25613	P	Security update for libsolv (Moderate)	2020-12-01
oval:org.opensuse.security:def:26685	P	dhcp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31811	P	Security update for apache2 (Important)	2020-12-01
oval:org.opensuse.security:def:31903	P	Security update for fontconfig (Low)	2020-12-01
oval:org.opensuse.security:def:25119	P	Security update for libssh2_org (Moderate)	2020-12-01
oval:org.opensuse.security:def:25748	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:25697	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:26720	P	java-1_4_2-ibm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31855	P	Security update for crash (Low)	2020-12-01
oval:org.opensuse.security:def:31942	P	Security update for gnome-session (Moderate)	2020-12-01
oval:org.opensuse.security:def:25130	P	Security update for ntp (Moderate)	2020-12-01
oval:org.opensuse.security:def:25797	P	Security update for flash-player (Important)	2020-12-01
oval:org.opensuse.security:def:25271	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:25848	P	Security update for flex, at, bogofilter, cyrus-imapd, kdelibs4, libQtWebKit4, libbonobo, mdbtools, netpbm, openslp, sgmltool, virtuoso, libqt5-qtwebkit (Moderate)	2020-12-01
oval:org.opensuse.security:def:31402	P	Security update for perl-DBD-mysql (Moderate)	2020-12-01
oval:org.opensuse.security:def:32493	P	bzip2 on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:6115	V	HP-UX Running Java JRE and JDK, Remote Unauthorized Access	2015-04-20