CVSS: 5.0EPSS: 0%CPEs: 38EXPL: 0CVE-2009-3884 – OpenJDK zoneinfo file existence information leak (6824265)
https://notcve.org/view.php?id=CVE-2009-3884
The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265. El método TimeZone.getTimeZone en Sun Java SE 5.0 antes de Update22, Sun Java SE 6.0 antes de la actualización 17, y OpenJDK, permite a atacantes remotos determinar la existencia de archivos locales a través de vectores relacionados con el manejo de ficheros zoneinfo (aliasa TZ). Se trata del Bug ID 6824265. • http://java.sun.com/j2se/1.5.0/ReleaseNotes.html http://java.sun.com/javase/6/webnotes/6u17.html http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html http://secunia.com/advisories/37386 http://secunia.com/advisories/37581 http://security.gentoo.org/glsa/glsa-200911-02.xml http://support.apple.com/kb/HT3969 http://support.apple.com/kb/HT3970 http://www.mandriva.com/security •
CVSS: 7.5EPSS: 0%CPEs: 79EXPL: 0CVE-2009-3883 – OpenJDK information leaks in mutable variables (6657026,6657138)
https://notcve.org/view.php?id=CVE-2009-3883
Multiple unspecified vulnerabilities in the Windows Pluggable Look and Feel (PL&F) feature in the Swing implementation in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, have unknown impact and remote attack vectors, related to "information leaks in mutable variables," aka Bug Id 6657138. Múltiples vulnerabilidades no especificadas en la funcionalidad Windows Pluggable Look and Feel (PL&F) de la implementación de Swing en Sun Java SE 5.0 antes de Update 22, Sun Java SE 6.0 antes de la actualización 17, y OpenJDK, tienen un impacto desconocido y vectores de ataque remotos, relacionados con "fugas de información en variables mutables". Se trata del Bug ID 6657138. • http://java.sun.com/j2se/1.5.0/ReleaseNotes.html http://java.sun.com/javase/6/webnotes/6u17.html http://secunia.com/advisories/37386 http://security.gentoo.org/glsa/glsa-200911-02.xml http://www.mandriva.com/security/advisories?name=MDVSA-2010:084 https://bugzilla.redhat.com/show_bug.cgi?id=530175 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10191 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6968 ht • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 38EXPL: 0CVE-2009-3728 – OpenJDK ICC_Profile file existence detection information leak (6631533)
https://notcve.org/view.php?id=CVE-2009-3728
Directory traversal vulnerability in the ICC_Profile.getInstance method in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local International Color Consortium (ICC) profile files via a .. (dot dot) in a pathname, aka Bug Id 6631533. Vulnerabilidad de salto de directorio en el método ICC_Profile.getInstance en Java Runtime Environment (JRE) en Sun Java SE v5.0 anteriores a Update 22 y 6 anteriores a Update 17, y OpenJDK, permite a atacantes remotos saber que existen perfiles locales de color del consorcio internacional del color (IIC) a través de .. (punto punto) en el path, también conocido como Bug Id 6631533. • http://java.sun.com/j2se/1.5.0/ReleaseNotes.html http://java.sun.com/javase/6/webnotes/6u17.html http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html http://secunia.com/advisories/37386 http://secunia.com/advisories/37581 http://security.gentoo.org/glsa/glsa-200911-02.xml http://support.apple.com/kb/HT3969 http://support.apple.com/kb/HT3970 http://www.mandriva.com/security • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 38EXPL: 0CVE-2009-3880 – OpenJDK UI logging information leakage(6664512)
https://notcve.org/view.php?id=CVE-2009-3880
The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, does not properly restrict the objects that may be sent to loggers, which allows attackers to obtain sensitive information via vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager, aka Bug Id 6664512. El Abstract Window Toolkit (AWT) en Java Runtime Environment (JRE) en Sun Java SE v5.0 anteriores a Update 22 y 6 anteriores a Update 17, y OpenJDK, no restringen de forma adecuada los objetos que se pueden enviar a los usuarios que se loguean, lo que permite a atacantes remotos obtener información sensible a través de vectores relativos a la implementación del componente KeyboardFocusManager, y DefaultKeyboardFocusManager, también conocido como Bug Id 6664512. • http://java.sun.com/j2se/1.5.0/ReleaseNotes.html http://java.sun.com/javase/6/webnotes/6u17.html http://secunia.com/advisories/37386 http://security.gentoo.org/glsa/glsa-200911-02.xml http://www.mandriva.com/security/advisories?name=MDVSA-2010:084 https://bugzilla.redhat.com/show_bug.cgi?id=530296 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10761 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7316 ht • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2009-2475 – OpenJDK information leaks in mutable variables (6588003,6656586,6656610,6656625,6657133,6657619,6657625,6657695,6660049,6660539,6813167)
https://notcve.org/view.php?id=CVE-2009-2475
Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, might allow context-dependent attackers to obtain sensitive information via vectors involving static variables that are declared without the final keyword, related to (1) LayoutQueue, (2) Cursor.predefined, (3) AccessibleResourceBundle.getContents, (4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5) ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7) DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types, (9) AbstractSaslImpl.logger, (10) Synth.Region.uiToRegionMap/lowerCaseNameMap, (11) the Introspector class and a cache of BeanInfo, and (12) JAX-WS, a different vulnerability than CVE-2009-2673. Sun Java SE v5.0 anterior a la actualización 20 y v6 anterior a la actualización 15, y OpenJDK, pueden permitir a atacantes dependientes del contexto obtener información confidencial a través de vectores de ataque relacionados con variables estáticas que son declaradas sin la palabra clave "final" relacionadas con (1) LayoutQueue, (2) Cursor.predefined, (3) AccessibleResourceBundle.getContents, (4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5) ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) los complementos ("plugins") imageio, (7) DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types, (9) AbstractSaslImpl.logger, (10) Synth.Region.uiToRegionMap/lowerCaseNameMap, (11) la clase "Introspector" y una caché de BeanInfo, y (12) JAX-WS, una vulnerabilidad diferente de CVE-2009-2673. • http://java.sun.com/j2se/1.5.0/ReleaseNotes.html http://java.sun.com/javase/6/webnotes/6u15.html http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html http://secunia.com/advisories/36162 http://secunia.com/advisories/36176 http://secunia.com/advisories/36180 http://secunia.com/advisories/36199 http://secunia.com/advisories/37386 http://security.gentoo.org/glsa/glsa-200911-02.xml&# • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •