CVE-2013-1490

EUVD-2013-1526

31.01.2013, 14:55

Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 51," a different vulnerability than CVE-2013-0431.  NOTE: as of 20130130, this vulnerability does not contain any independently-verifiable details, and there is no vendor acknowledgement. A CVE identifier is being assigned because this vulnerability has received significant public attention, and the original researcher has an established history of releasing vulnerability reports that have been fixed by vendors.  NOTE: this issue also exists in SE 6, but it cannot be exploited without a separate vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.3 UNKNOWN	NETWORK	MEDIUM		AV:N/AC:M/Au:N/C:N/I:P/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 72%

Affected Products (NVD)

Vendor	Product	Version
oracle	jdk	1.7.0
oracle	jre	1.7.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

openjdk-6

hardy	ignored
lucid	not-affected
oneiric	not-affected
precise	not-affected
quantal	Fixed 6b27-1.12.5-0ubuntu0.12.10.1 released
raring	Fixed 6b27-1.12.5-1ubuntu1 released

openjdk-6b18

hardy	dne
lucid	ignored
oneiric	ignored
precise	dne
quantal	dne
raring	dne

openjdk-7

hardy	dne
lucid	dne
oneiric	not-affected
precise	not-affected
quantal	not-affected
raring	not-affected

sun-java5

hardy	ignored
lucid	dne
oneiric	dne
precise	dne
quantal	dne
raring	dne

sun-java6

hardy	ignored
lucid	dne
oneiric	dne
precise	dne
quantal	dne
raring	dne

References

http://arstechnica.com/security/2013/01/critical-java-vulnerabilies-confirmed-in-latest-version/

http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53

http://seclists.org/fulldisclosure/2013/Jan/142

http://seclists.org/fulldisclosure/2013/Jan/195