CVE-2003-1229

Severity

75%

Complexity

99%

Confidentiality

106%

X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files.

X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files.

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Overview

Type

Sun

First reported 21 years ago

2003-12-31 05:00:00

Last updated 7 years ago

2017-10-11 01:29:00

Affected Software

Sun Java Web Start 1.0

1.0

Sun Java Web Start 1.0.1

1.0.1

Sun Java Web Start 1.2

1.2

Sun JSSE 1.0.3

1.0.3

References

20030128 Incorrect Certificate Validation in Java Secure Socket Extension

http://java.sun.com/products/jsse/CHANGES.txt

7943

Patch, Vendor Advisory

1006007

1007483

50081

Patch, Vendor Advisory

6682

Patch

1006001

HPSBUX0301-239

sun-java-improper-validation(11182)

oval:org.mitre.oval:def:5883

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.