CVE-2013-5830
Oracle Java LDAP Deserialization Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
254Public Exploits
0Exploited in Wild
-Decision
Descriptions
Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Vulnerabilidad no especificada en Oracle Java SE v7u40 y anteriores, Java SE v6u60 y anteriores, Java SE v5.0u51 y anteriores, JRockit R28.2.8 y anteriores, JRockit R27.7.6 y anteriores, y Java SE Embedded v7u40 y anteriores permite a atacantes remotos afectar a la confidencialidad, integridad y disponibilidad a través de vectores desconocidos relacionados con las librerías.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of LDAP deserialization. An attacker can use a custom LDAP server to create objects in restricted packages, and leverage this to disable the Java sandbox and execute arbitrary code in the context of the user.
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Java Software Development Kit. Multiple input checking flaws were found in the 2D component native image parsing code. A specially crafted image file could trigger a Java Virtual Machine memory corruption and, possibly, lead to arbitrary code execution with the privileges of the user running the Java Virtual Machine. The class loader did not properly check the package access for non-public proxy classes. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of the user running the Java Virtual Machine.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-09-18 CVE Reserved
- 2013-10-16 CVE Published
- 2024-08-06 CVE Updated
- 2025-04-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (27)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/56338 | Not Applicable | |
| http://support.apple.com/kb/HT5982 | Third Party Advisory |
|
| http://www-01.ibm.com/support/docview.wss?uid=swg21655201 | Third Party Advisory | |
| http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-... | Third Party Advisory | |
| http://www.securityfocus.com/bid/63121 | Third Party Advisory | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitr... | Broken Link |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|