CVE-2009-2689 - OpenCVE

JDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, grants full privileges to instances of unspecified object types, which allows context-dependent attackers to bypass intended access restrictions via an untrusted (1) applet or (2) application.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Sun	Openjdk Java Se

Configuration 1 [-]

OR	cpe:2.3:a:sun:java_se::20::::::*
	cpe:2.3:a:sun:java_se::14::::::*
	cpe:2.3:a:sun:openjdk::::::::

References

Link	Resource
http://java.sun.com/j2se/1.5.0/ReleaseNotes.html	Patch
http://java.sun.com/javase/6/webnotes/6u15.html
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
http://secunia.com/advisories/36162	Vendor Advisory
http://secunia.com/advisories/36180	Vendor Advisory
http://secunia.com/advisories/36199	Vendor Advisory
http://secunia.com/advisories/37386
http://security.gentoo.org/glsa/glsa-200911-02.xml
http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1	Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1	Patch
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://www.vupen.com/english/advisories/2009/2543
https://bugzilla.redhat.com/show_bug.cgi?id=513222
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9603
https://rhn.redhat.com/errata/RHSA-2009-1199.html
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2009-08-10T18:00:00

Updated: 2017-09-18T12:57:01

Reserved: 2009-08-05T00:00:00

Link: CVE-2009-2689

JSON object: View

NVD Information

Status : Modified

Published: 2009-08-10T18:30:00.420

Modified: 2017-09-19T01:29:16.810

Link: CVE-2009-2689

JSON object: View

Redhat Information

No data.

CWE

CWE-264

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-08-04T00:00:00", "descriptions": [{"lang": "en", "value": "JDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, grants full privileges to instances of unspecified object types, which allows context-dependent attackers to bypass intended access restrictions via an untrusted (1) applet or (2) application."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2009:1199", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://rhn.redhat.com/errata/RHSA-2009-1199.html"}, {"name": "36162", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36162"}, {"name": "ADV-2009-2543", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/2543"}, {"name": "oval:org.mitre.oval:def:9603", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9603"}, {"name": "GLSA-200911-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://security.gentoo.org/glsa/glsa-200911-02.xml"}, {"name": "36199", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36199"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1"}, {"name": "MDVSA-2009:209", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209"}, {"name": "FEDORA-2009-8329", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://java.sun.com/javase/6/webnotes/6u15.html"}, {"name": "36180", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/36180"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1"}, {"name": "FEDORA-2009-8337", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=513222"}, {"name": "SUSE-SR:2009:016", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://java.sun.com/j2se/1.5.0/ReleaseNotes.html"}, {"name": "APPLE-SA-2009-09-03-1", "tags": ["vendor-advisory", "x_refsource_APPLE"], "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html"}, {"name": "RHSA-2009:1201", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html"}, {"name": "37386", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/37386"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-2689", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "JDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, grants full privileges to instances of unspecified object types, which allows context-dependent attackers to bypass intended access restrictions via an untrusted (1) applet or (2) application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2009:1199", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1199.html"}, {"name": "36162", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36162"}, {"name": "ADV-2009-2543", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/2543"}, {"name": "oval:org.mitre.oval:def:9603", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9603"}, {"name": "GLSA-200911-02", "refsource": "GENTOO", "url": "http://security.gentoo.org/glsa/glsa-200911-02.xml"}, {"name": "36199", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36199"}, {"name": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1", "refsource": "CONFIRM", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1"}, {"name": "MDVSA-2009:209", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209"}, {"name": "FEDORA-2009-8329", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html"}, {"name": "http://java.sun.com/javase/6/webnotes/6u15.html", "refsource": "CONFIRM", "url": "http://java.sun.com/javase/6/webnotes/6u15.html"}, {"name": "36180", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/36180"}, {"name": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1", "refsource": "CONFIRM", "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1"}, {"name": "FEDORA-2009-8337", "refsource": "FEDORA", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=513222", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=513222"}, {"name": "SUSE-SR:2009:016", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html"}, {"name": "http://java.sun.com/j2se/1.5.0/ReleaseNotes.html", "refsource": "CONFIRM", "url": "http://java.sun.com/j2se/1.5.0/ReleaseNotes.html"}, {"name": "APPLE-SA-2009-09-03-1", "refsource": "APPLE", "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html"}, {"name": "RHSA-2009:1201", "refsource": "REDHAT", "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html"}, {"name": "37386", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37386"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-2689", "datePublished": "2009-08-10T18:00:00", "dateReserved": "2009-08-05T00:00:00", "dateUpdated": "2017-09-18T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sun:java_se:*:20:*:*:*:*:*:*", "matchCriteriaId": "625B941A-B638-46C2-A840-83724D5F826B", "versionEndIncluding": "5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sun:java_se:*:14:*:*:*:*:*:*", "matchCriteriaId": "EB9DE8D5-D4F6-45DE-9DB4-9E5BB7E518F9", "versionEndIncluding": "6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sun:openjdk:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E78309B-E13F-4B65-9F59-39A993B900AF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "JDK13Services.getProviders in Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, grants full privileges to instances of unspecified object types, which allows context-dependent attackers to bypass intended access restrictions via an untrusted (1) applet or (2) application."}, {"lang": "es", "value": "JDK13Services.getProviders en Sun Java SE v5.0 anteriores a Update 20 y v6 anteriores a Update 15, y en OpenJDK, proporciona privilegios completos a instancias de tipos de objeto no especificadas, permitiendo a atacantes dependientes del contexto saltar las restricciones de acceso previstas mediante (1)un applet o (2) una aplicaci\u00f3n no confiables."}], "id": "CVE-2009-2689", "lastModified": "2017-09-19T01:29:16.810", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-08-10T18:30:00.420", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://java.sun.com/j2se/1.5.0/ReleaseNotes.html"}, {"source": "cve@mitre.org", "url": "http://java.sun.com/javase/6/webnotes/6u15.html"}, {"source": "cve@mitre.org", "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36162"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36180"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/36199"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/37386"}, {"source": "cve@mitre.org", "url": "http://security.gentoo.org/glsa/glsa-200911-02.xml"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125139-16-1"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2009/2543"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=513222"}, {"source": "cve@mitre.org", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9603"}, {"source": "cve@mitre.org", "url": "https://rhn.redhat.com/errata/RHSA-2009-1199.html"}, {"source": "cve@mitre.org", "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html"}, {"source": "cve@mitre.org", "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}