// For flags

CVE-2008-5339

Sun Java Web Start and Applet Multiple Sandbox Bypass Vulnerabilities

Severity Score

5.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted JWS applications to perform network connections to unauthorized hosts via unknown vectors, aka CR 6727079.

Vulnerabilidad no especificada en Java Web Start (JWS) y Java Plug-in en Sun JDK y JRE v6 Update 10 y anteriores; JDK y JRE v5.0 Update 16 y anteriores; y en SDK y JRE v1.4.2_18 y anteriores permite que aplicaciones JWS no confiables realicen conexiones de red con sistemas no autorizados mediante vectores desconocidos.

These vulnerabilities allow remote attackers to bypass sandbox restrictions on vulnerable installations of Sun Java Web Start. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The first vulnerability results in a cache location and a user name information disclosure. By accessing the SI_FILEDIR property of a SingleInstanceImpl class, the location of the temporary single instance files can be parsed to discover the user name and cache location.
The second vulnerability allows applets to read any file on a victim's filesystem, outside of the restricted path of the applet. The specific flaw exists in the handling of the file: protocol assigned to an applet codebase. If the codebase points to the local filesystem, any file is then readable by the malicious applet.
The third vulnerability allows JNLP files to bypass socket restrictions. By loading a secondary JNLP with an href attribute containing a wildcard. When this object is instantiated, all hosts are eligible for socket connect and accept.

*Credits: Peter Csepely
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-12-04 CVE Reserved
  • 2008-12-04 CVE Published
  • 2024-05-10 EPSS Updated
  • 2024-08-07 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
References (32)
URL Tag Source
http://secunia.com/advisories/32991 Third Party Advisory
http://secunia.com/advisories/33015 Third Party Advisory
http://secunia.com/advisories/33528 Third Party Advisory
http://secunia.com/advisories/33710 Third Party Advisory
http://secunia.com/advisories/34233 Third Party Advisory
http://secunia.com/advisories/34605 Third Party Advisory
http://secunia.com/advisories/34889 Third Party Advisory
http://secunia.com/advisories/35065 Third Party Advisory
http://secunia.com/advisories/37386 Third Party Advisory
http://secunia.com/advisories/38539 Third Party Advisory
http://support.avaya.com/elmodocs2/security/ASA-2008-486.htm X_refsource_confirm
http://support.avaya.com/elmodocs2/security/ASA-2009-012.htm X_refsource_confirm
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=829914&poid= X_refsource_confirm
http://www.us-cert.gov/cas/techalerts/TA08-340A.html Third Party Advisory
http://www.vupen.com/english/advisories/2008/3339 Vdb Entry
http://www.vupen.com/english/advisories/2009/0672 Vdb Entry
http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/03/024431-01.pdf X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6409 Signature
URL Date SRC
URL Date SRC
http://sunsolve.sun.com/search/document.do?assetkey=1-26-244988-1 2017-09-29
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00009.html 2017-09-29
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00004.html 2017-09-29
http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html 2017-09-29
http://marc.info/?l=bugtraq&m=123678756409861&w=2 2017-09-29
http://marc.info/?l=bugtraq&m=126583436323697&w=2 2017-09-29
http://rhn.redhat.com/errata/RHSA-2008-1018.html 2017-09-29
http://rhn.redhat.com/errata/RHSA-2008-1025.html 2017-09-29
http://security.gentoo.org/glsa/glsa-200911-02.xml 2017-09-29
http://www.redhat.com/support/errata/RHSA-2009-0015.html 2017-09-29
http://www.redhat.com/support/errata/RHSA-2009-0016.html 2017-09-29
http://www.redhat.com/support/errata/RHSA-2009-0445.html 2017-09-29
https://access.redhat.com/security/cve/CVE-2008-5339 2009-04-23
https://bugzilla.redhat.com/show_bug.cgi?id=474772 2009-04-23
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 <= 5.0
Search vendor "Sun" for product "Jdk" and version " <= 5.0"
update_16
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 <= 6
Search vendor "Sun" for product "Jdk" and version " <= 6"
update_10
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_1
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_10
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_11
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_12
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_13
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_14
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_15
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_2
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_3
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_4
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_5
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_6
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_7
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_8
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 5.0
Search vendor "Sun" for product "Jdk" and version "5.0"
update_9
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
-
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
update_1
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
update_2
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
update_3
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
update_4
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
update_5
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
update_6
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
update_7
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
update_8
Affected
Sun
Search vendor "Sun"
 Jdk
Search vendor "Sun" for product "Jdk"
 6
Search vendor "Sun" for product "Jdk" and version "6"
update_9
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 <= 1.4.2_18
Search vendor "Sun" for product "Jre" and version " <= 1.4.2_18"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 <= 5.0
Search vendor "Sun" for product "Jre" and version " <= 5.0"
update_16
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 <= 6
Search vendor "Sun" for product "Jre" and version " <= 6"
update_10
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_1
Search vendor "Sun" for product "Jre" and version "1.4.2_1"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_2
Search vendor "Sun" for product "Jre" and version "1.4.2_2"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_3
Search vendor "Sun" for product "Jre" and version "1.4.2_3"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_4
Search vendor "Sun" for product "Jre" and version "1.4.2_4"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_5
Search vendor "Sun" for product "Jre" and version "1.4.2_5"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_6
Search vendor "Sun" for product "Jre" and version "1.4.2_6"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_7
Search vendor "Sun" for product "Jre" and version "1.4.2_7"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_8
Search vendor "Sun" for product "Jre" and version "1.4.2_8"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_9
Search vendor "Sun" for product "Jre" and version "1.4.2_9"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_10
Search vendor "Sun" for product "Jre" and version "1.4.2_10"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_11
Search vendor "Sun" for product "Jre" and version "1.4.2_11"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_12
Search vendor "Sun" for product "Jre" and version "1.4.2_12"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_13
Search vendor "Sun" for product "Jre" and version "1.4.2_13"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_14
Search vendor "Sun" for product "Jre" and version "1.4.2_14"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_15
Search vendor "Sun" for product "Jre" and version "1.4.2_15"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_16
Search vendor "Sun" for product "Jre" and version "1.4.2_16"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 1.4.2_17
Search vendor "Sun" for product "Jre" and version "1.4.2_17"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_1
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_10
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_11
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_12
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_13
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_14
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_15
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_2
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_3
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_4
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_5
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_6
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_7
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_8
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 5.0
Search vendor "Sun" for product "Jre" and version "5.0"
update_9
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
-
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
update_1
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
update_2
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
update_3
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
update_4
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
update_5
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
update_6
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
update_7
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
update_8
Affected
Sun
Search vendor "Sun"
 Jre
Search vendor "Sun" for product "Jre"
 6
Search vendor "Sun" for product "Jre" and version "6"
update_9
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 <= 1.4.2_18
Search vendor "Sun" for product "Sdk" and version " <= 1.4.2_18"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_1
Search vendor "Sun" for product "Sdk" and version "1.4.2_1"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_2
Search vendor "Sun" for product "Sdk" and version "1.4.2_2"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_3
Search vendor "Sun" for product "Sdk" and version "1.4.2_3"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_4
Search vendor "Sun" for product "Sdk" and version "1.4.2_4"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_5
Search vendor "Sun" for product "Sdk" and version "1.4.2_5"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_6
Search vendor "Sun" for product "Sdk" and version "1.4.2_6"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_7
Search vendor "Sun" for product "Sdk" and version "1.4.2_7"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_8
Search vendor "Sun" for product "Sdk" and version "1.4.2_8"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_9
Search vendor "Sun" for product "Sdk" and version "1.4.2_9"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_10
Search vendor "Sun" for product "Sdk" and version "1.4.2_10"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_11
Search vendor "Sun" for product "Sdk" and version "1.4.2_11"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_12
Search vendor "Sun" for product "Sdk" and version "1.4.2_12"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_13
Search vendor "Sun" for product "Sdk" and version "1.4.2_13"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_14
Search vendor "Sun" for product "Sdk" and version "1.4.2_14"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_15
Search vendor "Sun" for product "Sdk" and version "1.4.2_15"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_16
Search vendor "Sun" for product "Sdk" and version "1.4.2_16"
-
Affected
Sun
Search vendor "Sun"
 Sdk
Search vendor "Sun" for product "Sdk"
 1.4.2_17
Search vendor "Sun" for product "Sdk" and version "1.4.2_17"
-
Affected