Vulnerability CVE-2013-2027

Vulnerability Name:

CVE-2013-2027 (CCN-102960)

Assigned:

2013-02-19

Published:

2015-02-13

Updated:

2018-10-30

Summary:

Jython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors.

CVSS v3 Severity:

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

4.6 Medium (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P)
3.4 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Bypass Security

References:

Source: CCN
Type: MGASA-2015-0096
Updated jython packages fix CVE-2013-2027

Source: CONFIRM
Type: Third Party Advisory
http://advisories.mageia.org/MGASA-2015-0096.html

Source: MITRE
Type: CNA
CVE-2013-2027

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2015:0269

Source: CCN
Type: Jython Web site
The Jython Project

Source: MANDRIVA
Type: Broken Link
MDVSA-2015:158

Source: CCN
Type: Oracle CPUJul2017
Oracle Critical Patch Update Advisory - July 2017

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Source: CCN
Type: Red Hat Bugzilla - Bug 947949
Jython creates executables class files with wrong permissions

Source: MISC
Type: Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=947949

Source: XF
Type: UNKNOWN
jython-cve20132027-sec-bypass(102960)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-2027

Vulnerable Configuration:

Configuration 1:

cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:jython_project:jython:2.2.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:jython_project:jython:2.2.1:*:*:*:*:*:*:*

AND

cpe:/a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20132027	V	CVE-2013-2027	2023-06-22
oval:org.opensuse.security:def:8028	P	jython-2.2.1-150400.18.8 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:3397	P	wget-1.14-21.10.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:1399	P	Security update for the Linux Kernel (Live Patch 7 for SLE 15 SP3) (Important) (in QA)	2022-06-27
oval:org.opensuse.security:def:95027	P	jython-2.2.1-150400.18.8 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:893	P	Security update for libxml2 (Important)	2022-05-19
oval:org.opensuse.security:def:1345	P	Security update for the Linux Kernel (Live Patch 6 for SLE 15 SP3) (Important)	2022-05-10
oval:org.opensuse.security:def:1299	P	Security update for the Linux Kernel (Important)	2022-04-13
oval:org.opensuse.security:def:847	P	Security update for kernel-firmware (Important)	2022-03-31
oval:org.opensuse.security:def:1814	P	Security update for MozillaThunderbird (Important)	2022-02-23
oval:org.opensuse.security:def:112485	P	jython-2.2.1-16.10 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:64637	P	Security update for fetchmail (Moderate)	2021-12-14
oval:org.opensuse.security:def:105980	P	jython-2.2.1-16.10 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:71337	P	libxml2-2-2.9.7-3.6.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71224	P	libICE-devel-1.0.9-1.25 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:48069	P	libSDL-1_2-0-1.2.15-15.11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47550	P	apache-commons-beanutils-1.9.2-1.149 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47368	P	liblcms1-1.19-17.28 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47875	P	res-signingkeys-3.0.38-52.26.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47383	P	libnghttp2-14-1.7.1-1.84 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48115	P	libgcrypt20-1.6.1-16.68.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47697	P	libcairo-gobject2-1.15.2-25.3.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47414	P	libssh2-1-1.4.3-19.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47921	P	xen-4.11.0_08-1.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47429	P	libvncclient0-0.9.9-16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48283	P	python-imaging-1.1.7-21.15 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47743	P	libmpfr4-3.1.2-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47369	P	libldap-2_4-2-2.4.41-18.29.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47967	P	busybox-1.21.1-3.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47504	P	squidGuard-1.4-29.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48329	P	ucode-intel-20191112-1.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47829	P	mipv6d-2.0.2.umip.0.4-19.63 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47415	P	libsystemd0-228-142.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:1929	P	jython-2.2.1-11.65 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100850	P	groff-1.22.3-5.3.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72737	P	jython-2.2.1-11.65 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63018	P	jython-2.2.1-11.65 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101276	P	jython-2.2.1-11.65 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:64550	P	Security update for libvirt (Moderate)	2021-07-27
oval:org.opensuse.security:def:1767	P	Security update for the Linux Kernel (Important)	2021-06-28
oval:org.opensuse.security:def:48571	P	libxml2-2-2.9.4-27.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48367	P	apache-commons-httpclient-3.1-4.364 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48494	P	libgc1-7.2d-3.75 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48596	P	perl-HTML-Parser-3.71-1.145 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48413	P	evince-3.20.1-5.66 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48540	P	libproxy1-0.4.13-16.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48642	P	vorbis-tools-1.4.0-26.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48429	P	glibc-2.22-49.16 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:66816	P	Security update for qemu (Important)	2021-06-08
oval:org.opensuse.security:def:48525	P	libmusicbrainz4-2.1.5-27.79 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:72575	P	jython-2.2.1-4.36 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:62856	P	jython-2.2.1-4.36 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48475	P	libXv1-1.0.10-3.56 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:67984	P	Security update for the Linux Kernel (Live Patch 22 for SLE 15 SP1) (Important)	2021-05-25
oval:org.opensuse.security:def:66724	P	Security update for php7 (Moderate)	2021-01-13
oval:org.opensuse.security:def:70172	P	Security update for webkit2gtk3 (Important)	2020-12-17
oval:org.opensuse.security:def:89982	P	jython-2.2.1-4.36 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72622	P	jython-2.2.1-4.36 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103637	P	jython-2.2.1-4.36 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62903	P	jython-2.2.1-4.36 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:1869	P	jython-2.2.1-11.65 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94137	P	jython-2.2.1-11.65 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72677	P	jython-2.2.1-11.65 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107516	P	jython-2.2.1-11.65 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62958	P	jython-2.2.1-11.65 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117074	P	jython-2.2.1-11.65 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:70067	P	libIlmImf-2_2-23 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49840	P	jython on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73389	P	gnome-shell on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49686	P	libout123-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73507	P	jython on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49732	P	crash on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:67884	P	ibus-chewing on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49740	P	jython on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49786	P	jython on GA media (Moderate)	2020-12-01
oval:com.ubuntu.precise:def:20132027000	V	CVE-2013-2027 on Ubuntu 12.04 LTS (precise) - medium.	2015-02-13
oval:com.ubuntu.xenial:def:201320270000000	V	CVE-2013-2027 on Ubuntu 16.04 LTS (xenial) - medium.	2015-02-13
oval:com.ubuntu.trusty:def:20132027000	V	CVE-2013-2027 on Ubuntu 14.04 LTS (trusty) - medium.	2015-02-13
oval:com.ubuntu.xenial:def:20132027000	V	CVE-2013-2027 on Ubuntu 16.04 LTS (xenial) - medium.	2015-02-13

BACK