CVE-2013-4578 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Severity

50%

Complexity

99%

Confidentiality

48%

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.

CVSS 3.0 Base Score 5.3. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N).

Overview

Type

Oracle

First reported 7 years ago

2017-12-29 22:29:00

Last updated 7 years ago

2018-01-17 17:59:00

Affected Software

Oracle JDK 1.7.0 update1

1.7.0

Oracle JDK 1.7.0 Update 10

1.7.0

Oracle JDK 1.7.0 Update 11

1.7.0

Oracle JDK 1.7.0 Update 13

1.7.0

Oracle JDK 1.7.0 Update 15

1.7.0

Oracle JDK 1.7.0 Update 17

1.7.0

Oracle JDK 1.7.0 update2

1.7.0

Oracle JDK 1.7.0 Update 21

1.7.0

Oracle JDK 1.7.0 Update 25

1.7.0

Oracle JDK 1.7.0 update3

1.7.0

Oracle JDK 1.7.0 Update 4

1.7.0

Oracle JDK 1.7.0 Update 5

1.7.0

Oracle JDK 1.7.0 Update 6

1.7.0

Oracle JDK 1.7.0 Update 7

1.7.0

Oracle JDK 1.7.0 Update 9

1.7.0

Oracle JRE 1.7.0 update1

1.7.0

Oracle JRE 1.7.0 Update 10

1.7.0

Oracle JRE 1.7.0 Update 11

1.7.0

Oracle JRE 1.7.0 Update 13

1.7.0

Oracle JRE 1.7.0 Update 15

1.7.0

Oracle JRE 1.7.0 Update 17

1.7.0

Oracle JRE 1.7.0 update2

1.7.0

Oracle JRE 1.7.0 Update 21

1.7.0

Oracle JRE 1.7.0 Update 25

1.7.0

Oracle JRE 1.7.0 update3

1.7.0

Oracle JRE 1.7.0 Update 4

1.7.0

Oracle JRE 1.7.0 Update 5

1.7.0

Oracle JRE 1.7.0 Update 6

1.7.0

Oracle JRE 1.7.0 Update 7

1.7.0

Oracle JRE 1.7.0 Update 9

1.7.0

Oracle JRE

References

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e

Patch, Vendor Advisory

[oss-security] 20150208 CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars

Mailing List, Third Party Advisory

[oss-security] 20150209 Re: CVE-2013-4578 OpenJDK: jarsigner does not detect unsigned bytecode injected into signed jars

Mailing List, Third Party Advisory

RHSA-2014:0414

Patch, Third Party Advisory, VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=1031471

Issue Tracking, Patch, Third Party Advisory, VDB Entry

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.