CVE-2013-4578

high-risk
Published 2017-12-29

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jdk
Jre
Jre
Jre
Jre
Jre

Affected Vendors

Oracle

References (10)

Patch http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e
Mailing List http://www.openwall.com/lists/oss-security/2015/02/08/6
Mailing List http://www.openwall.com/lists/oss-security/2015/02/09/9
Patch https://access.redhat.com/errata/RHSA-2014:0414
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1031471
Patch http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e
Mailing List http://www.openwall.com/lists/oss-security/2015/02/08/6
Mailing List http://www.openwall.com/lists/oss-security/2015/02/09/9
Patch https://access.redhat.com/errata/RHSA-2014:0414
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1031471
50
/ 100
high-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 28/34 · Critical