{
  "affected": [],
  "aliases": [
    "CVE-2013-0422"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-01-10T21:55:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.",
  "id": "GHSA-r293-6mhc-29xx",
  "modified": "2025-10-22T03:30:32Z",
  "published": "2022-05-05T02:48:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0422"
    },
    {
      "type": "WEB",
      "url": "https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf"
    },
    {
      "type": "WEB",
      "url": "https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013"
    },
    {
      "type": "WEB",
      "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018"
    },
    {
      "type": "WEB",
      "url": "https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0422"
    },
    {
      "type": "WEB",
      "url": "http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html"
    },
    {
      "type": "WEB",
      "url": "http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released"
    },
    {
      "type": "WEB",
      "url": "http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html"
    },
    {
      "type": "WEB",
      "url": "http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware"
    },
    {
      "type": "WEB",
      "url": "http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0156.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0165.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/bugtraq/2013/Jan/48"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/625617"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:095"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1693-1"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA13-010A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

{
  "cisaActionDue": "2022-06-15",
  "cisaExploitAdd": "2022-05-25",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "Oracle JRE Remote Code Execution Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "ACABC935-5DD6-4F85-992E-70AD517EF41D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*",
              "matchCriteriaId": "6152036D-6421-4AE4-9223-766FE07B5A44",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*",
              "matchCriteriaId": "FE8B0935-6637-413D-B896-28E0ED7F2CEC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*",
              "matchCriteriaId": "D375CECB-405C-4E18-A7E8-9C5A2F97BD69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*",
              "matchCriteriaId": "52EEEA5A-E77C-43CF-A063-9D5C64EA1870",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*",
              "matchCriteriaId": "003746F6-DEF0-4D0F-AD97-9E335868E301",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*",
              "matchCriteriaId": "CF830E0E-0169-4B6A-81FF-2E9FCD7D913B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*",
              "matchCriteriaId": "6BAE3670-0938-480A-8472-DFF0B3A0D0BF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*",
              "matchCriteriaId": "0EC967FF-26A6-4498-BC09-EC23B2B75CBA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*",
              "matchCriteriaId": "02781457-4E40-46A9-A5F7-945232A8C2B1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "DFAA351A-93CD-46A8-A480-CE2783CCD620",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*",
              "matchCriteriaId": "F4B153FD-E20B-4909-8B10-884E48F5B590",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*",
              "matchCriteriaId": "F21933FB-A27C-4AF3-9811-2DE28484A5A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*",
              "matchCriteriaId": "CB106FA9-26CE-48C5-AEA5-FD1A5454AEE2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*",
              "matchCriteriaId": "5831D70B-3854-4CB8-B88D-40F1743DAEE0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*",
              "matchCriteriaId": "EEB101C9-CA38-4421-BC0C-C1AD47AA2CC9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*",
              "matchCriteriaId": "BA302DF3-ABBB-4262-B206-4C0F7B5B1E91",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*",
              "matchCriteriaId": "F9A8EBCB-5E6A-42F0-8D07-F3A3D1C850F0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*",
              "matchCriteriaId": "0CD8A54E-185B-4D34-82EF-C0C05739EC12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*",
              "matchCriteriaId": "4FFC7F0D-1F32-4235-8359-277CE41382DF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D806A17E-B8F9-466D-807D-3F1E77603DC8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades en Java de Oracle versi\u00f3n 7 anterior a Update 11, permiten a los atacantes remotos ejecutar c\u00f3digo arbitrario mediante (1) utilizando el m\u00e9todo p\u00fablico getMBeanInstantiator en la clase JmxMBeanServer para obtener una referencia a un objeto MBeanInstantiator privado, a continuaci\u00f3n, recuperar referencias arbitrarias Class mediante el m\u00e9todo findClass y (2) mediante la API Reflection con recursi\u00f3n de una manera que omita una comprobaci\u00f3n de seguridad mediante el m\u00e9todo java.lang.invoke.MethodHandles.Lookup.checkSecurityManager debido a la incapacidad del m\u00e9todo sun.reflect.Reflection.getCallerClass para omitir marcos relacionados con la nueva API reflection, como se explot\u00f3 \u201cin the wild\u201d en Enero de 2013, como es demostrado por Blackhole y Nuclear Pack, y una vulnerabilidad diferente de CVE-2012-4681 y CVE-2012-3174. NOTA: algunas partes han mapeado el problema recursivo de la API Reflection al CVE-2012-3174, pero el CVE-2012-3174 es para una vulnerabilidad diferente cuyos detalles no son p\u00fablicos a partir de 20130114. El CVE-2013-0422 cubre los problemas de JMX/MBean y API Reflection. NOTA: originalmente se inform\u00f3 que Java versi\u00f3n 6 tambi\u00e9n era vulnerable, pero el reportero se ha retractado de esta afirmaci\u00f3n, declarando que Java versi\u00f3n 6 no es explotable porque el c\u00f3digo relevante se llama de una manera que no omita las comprobaciones de seguridad. NOTA: a partir de 20130114, un tercero confiable ha afirmado que el vector findClass/MBeanInstantiator no se corrigi\u00f3 en Java de Oracle versi\u00f3n 7 Update 11. Si todav\u00eda hay una condici\u00f3n vulnerable, se podr\u00eda crear un identificador CVE independiente para el problema no corregido."
    }
  ],
  "id": "CVE-2013-0422",
  "lastModified": "2025-10-22T01:15:46.217",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 10.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2013-01-10T21:55:00.777",
  "references": [
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0156.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0165.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/bugtraq/2013/Jan/48"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/625617"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:095"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.ubuntu.com/usn/USN-1693-1"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA13-010A.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory"
      ],
      "url": "http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0156.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0165.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/bugtraq/2013/Jan/48"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/625617"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:095"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.ubuntu.com/usn/USN-1693-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA13-010A.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0422"
    }
  ],
  "sourceIdentifier": "secalert_us@oracle.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

{
  "GSD": {
    "alias": "CVE-2013-0422",
    "description": "Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.",
    "id": "GSD-2013-0422",
    "references": [
      "https://www.suse.com/security/cve/CVE-2013-0422.html",
      "https://access.redhat.com/errata/RHSA-2013:0626",
      "https://access.redhat.com/errata/RHSA-2013:0165",
      "https://access.redhat.com/errata/RHSA-2013:0156",
      "https://linux.oracle.com/cve/CVE-2013-0422.html",
      "https://packetstormsecurity.com/files/cve/CVE-2013-0422"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-0422"
      ],
      "details": "Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.",
      "id": "GSD-2013-0422",
      "modified": "2023-12-13T01:22:15.535949Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert_us@oracle.com",
        "ID": "CVE-2013-0422",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "RHSA-2013:0156",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0156.html"
          },
          {
            "name": "http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html",
            "refsource": "MISC",
            "url": "http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html"
          },
          {
            "name": "MDVSA-2013:095",
            "refsource": "MANDRIVA",
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:095"
          },
          {
            "name": "http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/",
            "refsource": "MISC",
            "url": "http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/"
          },
          {
            "name": "openSUSE-SU-2013:0199",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html"
          },
          {
            "name": "RHSA-2013:0165",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0165.html"
          },
          {
            "name": "VU#625617",
            "refsource": "CERT-VN",
            "url": "http://www.kb.cert.org/vuls/id/625617"
          },
          {
            "name": "TA13-010A",
            "refsource": "CERT",
            "url": "http://www.us-cert.gov/cas/techalerts/TA13-010A.html"
          },
          {
            "name": "https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf",
            "refsource": "MISC",
            "url": "https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf"
          },
          {
            "name": "http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html",
            "refsource": "MISC",
            "url": "http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html"
          },
          {
            "name": "https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us",
            "refsource": "MISC",
            "url": "https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us"
          },
          {
            "name": "USN-1693-1",
            "refsource": "UBUNTU",
            "url": "http://www.ubuntu.com/usn/USN-1693-1"
          },
          {
            "name": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018",
            "refsource": "CONFIRM",
            "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018"
          },
          {
            "name": "http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html",
            "refsource": "MISC",
            "url": "http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html"
          },
          {
            "name": "https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013",
            "refsource": "MISC",
            "url": "https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013"
          },
          {
            "name": "20130110 [SE-2012-01] \u0027Fix\u0027 for Issue 32 exploited by new Java 0-day code",
            "refsource": "BUGTRAQ",
            "url": "http://seclists.org/bugtraq/2013/Jan/48"
          },
          {
            "name": "http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html"
          },
          {
            "name": "http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/",
            "refsource": "MISC",
            "url": "http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/"
          },
          {
            "name": "http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/",
            "refsource": "MISC",
            "url": "http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "cisaActionDue": "2022-06-15",
        "cisaExploitAdd": "2022-05-25",
        "cisaRequiredAction": "Apply updates per vendor instructions.",
        "cisaVulnerabilityName": "Oracle JRE Remote Code Execution Vulnerability",
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:-:*:*:*:*:*:*",
                    "matchCriteriaId": "ACABC935-5DD6-4F85-992E-70AD517EF41D",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*",
                    "matchCriteriaId": "6152036D-6421-4AE4-9223-766FE07B5A44",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*",
                    "matchCriteriaId": "FE8B0935-6637-413D-B896-28E0ED7F2CEC",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*",
                    "matchCriteriaId": "D375CECB-405C-4E18-A7E8-9C5A2F97BD69",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*",
                    "matchCriteriaId": "52EEEA5A-E77C-43CF-A063-9D5C64EA1870",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*",
                    "matchCriteriaId": "003746F6-DEF0-4D0F-AD97-9E335868E301",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*",
                    "matchCriteriaId": "CF830E0E-0169-4B6A-81FF-2E9FCD7D913B",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*",
                    "matchCriteriaId": "6BAE3670-0938-480A-8472-DFF0B3A0D0BF",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*",
                    "matchCriteriaId": "0EC967FF-26A6-4498-BC09-EC23B2B75CBA",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*",
                    "matchCriteriaId": "02781457-4E40-46A9-A5F7-945232A8C2B1",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*",
                    "matchCriteriaId": "DFAA351A-93CD-46A8-A480-CE2783CCD620",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*",
                    "matchCriteriaId": "F4B153FD-E20B-4909-8B10-884E48F5B590",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*",
                    "matchCriteriaId": "F21933FB-A27C-4AF3-9811-2DE28484A5A6",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*",
                    "matchCriteriaId": "CB106FA9-26CE-48C5-AEA5-FD1A5454AEE2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*",
                    "matchCriteriaId": "5831D70B-3854-4CB8-B88D-40F1743DAEE0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*",
                    "matchCriteriaId": "EEB101C9-CA38-4421-BC0C-C1AD47AA2CC9",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*",
                    "matchCriteriaId": "BA302DF3-ABBB-4262-B206-4C0F7B5B1E91",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*",
                    "matchCriteriaId": "F9A8EBCB-5E6A-42F0-8D07-F3A3D1C850F0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*",
                    "matchCriteriaId": "0CD8A54E-185B-4D34-82EF-C0C05739EC12",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*",
                    "matchCriteriaId": "4FFC7F0D-1F32-4235-8359-277CE41382DF",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*",
                    "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D806A17E-B8F9-466D-807D-3F1E77603DC8",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue."
          },
          {
            "lang": "es",
            "value": "M\u00faltiples vulnerabilidades en Java de Oracle versi\u00f3n 7 anterior a Update 11, permiten a los atacantes remotos ejecutar c\u00f3digo arbitrario mediante (1) utilizando el m\u00e9todo p\u00fablico getMBeanInstantiator en la clase JmxMBeanServer para obtener una referencia a un objeto MBeanInstantiator privado, a continuaci\u00f3n, recuperar referencias arbitrarias Class mediante el m\u00e9todo findClass y (2) mediante la API Reflection con recursi\u00f3n de una manera que omita una comprobaci\u00f3n de seguridad mediante el m\u00e9todo java.lang.invoke.MethodHandles.Lookup.checkSecurityManager debido a la incapacidad del m\u00e9todo sun.reflect.Reflection.getCallerClass para omitir marcos relacionados con la nueva API reflection, como se explot\u00f3 \u201cin the wild\u201d en Enero de 2013, como es demostrado por Blackhole y Nuclear Pack, y una vulnerabilidad diferente de CVE-2012-4681 y CVE-2012-3174. NOTA: algunas partes han mapeado el problema recursivo de la API Reflection al CVE-2012-3174, pero el CVE-2012-3174 es para una vulnerabilidad diferente cuyos detalles no son p\u00fablicos a partir de 20130114. El CVE-2013-0422 cubre los problemas de JMX/MBean y API Reflection. NOTA: originalmente se inform\u00f3 que Java versi\u00f3n 6 tambi\u00e9n era vulnerable, pero el reportero se ha retractado de esta afirmaci\u00f3n, declarando que Java versi\u00f3n 6 no es explotable porque el c\u00f3digo relevante se llama de una manera que no omita las comprobaciones de seguridad. NOTA: a partir de 20130114, un tercero confiable ha afirmado que el vector findClass/MBeanInstantiator no se corrigi\u00f3 en Java de Oracle versi\u00f3n 7 Update 11. Si todav\u00eda hay una condici\u00f3n vulnerable, se podr\u00eda crear un identificador CVE independiente para el problema no corregido."
          }
        ],
        "id": "CVE-2013-0422",
        "lastModified": "2024-04-26T16:07:03.190",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "HIGH",
              "cvssData": {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "availabilityImpact": "COMPLETE",
                "baseScore": 10.0,
                "confidentialityImpact": "COMPLETE",
                "integrityImpact": "COMPLETE",
                "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              },
              "exploitabilityScore": 10.0,
              "impactScore": 10.0,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": true
            }
          ]
        },
        "published": "2013-01-10T21:55:00.777",
        "references": [
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Not Applicable"
            ],
            "url": "http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Broken Link"
            ],
            "url": "http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Broken Link",
              "Third Party Advisory"
            ],
            "url": "http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0156.html"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0165.html"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "http://seclists.org/bugtraq/2013/Jan/48"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Third Party Advisory",
              "US Government Resource"
            ],
            "url": "http://www.kb.cert.org/vuls/id/625617"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Not Applicable"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:095"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "http://www.ubuntu.com/usn/USN-1693-1"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Third Party Advisory",
              "US Government Resource"
            ],
            "url": "http://www.us-cert.gov/cas/techalerts/TA13-010A.html"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Broken Link"
            ],
            "url": "https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Not Applicable"
            ],
            "url": "https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018"
          },
          {
            "source": "secalert_us@oracle.com",
            "tags": [
              "Not Applicable"
            ],
            "url": "https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us"
          }
        ],
        "sourceIdentifier": "secalert_us@oracle.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-264"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Java version 7 (premi\u00e8re vuln\u00e9rabilit\u00e9)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Versions ant\u00e9rieures \u00e0 Oracle Java version 7 mise \u00e0 jour 11 (deuxi\u00e8me vuln\u00e9rabilit\u00e9)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "closed_at": "2013-01-15",
  "content": "## Solution\n\nInstaller la derni\u00e8re version stable de Oracle Java :\n\n-   Oracle Java version 1.7.11\n",
  "cves": [
    {
      "name": "CVE-2013-0422",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-0422"
    },
    {
      "name": "CVE-2012-3174",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-3174"
    }
  ],
  "initial_release_date": "2013-01-10T00:00:00",
  "last_revision_date": "2013-01-15T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle Java version 1.7 du 13 janvier    2013 :",
      "url": "http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html"
    }
  ],
  "reference": "CERTA-2013-ALE-001",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2013-01-10T00:00:00.000000"
    },
    {
      "description": "ajout du correctif \u00e9diteur",
      "revision_date": "2013-01-14T00:00:00.000000"
    },
    {
      "description": "mise \u00e0 jour syst\u00e8mes affect\u00e9s",
      "revision_date": "2013-01-15T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "Deux vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan class=\"textit\"\u003eOracle\nJava\u003c/span\u003e. La premi\u00e8re vuln\u00e9rabilit\u00e9 concerne la m\u00e9thode \"findClass\"\nde la classe MBeanInstantiator. Cette vuln\u00e9rabilit\u00e9 est pr\u00e9sente dans\n\u003cspan class=\"textit\"\u003eOracle Java\u003c/span\u003e version 7.  \nLa deuxi\u00e8me vuln\u00e9rabilit\u00e9 se trouve dans la nouvelle API \u003cspan\nclass=\"textit\"\u003eReflection\u003c/span\u003e de \u003cspan class=\"textit\"\u003eOracle\nJava\u003c/span\u003e. Cette nouvelle API est disponible \u00e0 partir de la branche\n1.7 du produit. Cette vuln\u00e9rabilit\u00e9 est donc pr\u00e9sente dans les versions\nant\u00e9rieures \u00e0 \u003cspan class=\"textit\"\u003eOracle Java\u003c/span\u003e version 7 mise \u00e0\njour 11.  \nL\u0027association des deux vuln\u00e9rabilit\u00e9s permet \u00e0 un attaquant d\u0027ex\u00e9cuter\ndu code arbitraire \u00e0 distance au moyen d\u0027une page Web sp\u00e9cialement\ncon\u00e7ue sur les postes poss\u00e9dant une version de \u003cspan\nclass=\"textit\"\u003eOracle Java\u003c/span\u003e ant\u00e9rieure \u00e0 1.7.11.  \nCes vuln\u00e9rabilit\u00e9s sont activement exploit\u00e9es et largement diffus\u00e9es.\n",
  "title": "Vuln\u00e9rabilit\u00e9s dans Oracle Java",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle Java version 1.7 du 13 janvier 2013",
      "url": null
    }
  ]
}

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., Novell Inc., Canonical Ltd., Oracle Corp.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "Desktop 6 (Red Hat Enterprise Linux), Desktop 5 (Red Hat Enterprise Linux), 6 (Red Hat Enterprise Linux Server), 12 SP3 (Suse Linux Enterprise Desktop), 12 SP4 (Suse Linux Enterprise Desktop), 12 SP3 (Suse Linux Enterprise Server), 12 SP4 (Suse Linux Enterprise Server), 12 SP5 (Suse Linux Enterprise Server), 12 SP2 (Suse Linux Enterprise Desktop), 12 SP2 (Suse Linux Enterprise Server), 12 SP1 (Suse Linux Enterprise Server), 11 SP2 (Suse Linux Enterprise Desktop), 11 SP2 (Suse Linux Enterprise Server), 11 SP3 (Suse Linux Enterprise Server), 12 (Suse Linux Enterprise Desktop), 5 (Red Hat Enterprise Linux Server), 12 (Suse Linux Enterprise Server), 12.10 (Ubuntu), \u0434\u043e 7 Update 10 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Java Runtime Environment), 6.0 (Red Hat Enterprise Linux Workstation), 5.0 (Red Hat Enterprise Linux Workstation)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u0441\u0440\u0435\u0434\u0441\u0442\u0432 Oracle Corp.:\nhttps://www.oracle.com/security-alerts/alert-cve-2013-0422.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2013-0422.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttp://rhn.redhat.com/errata/RHSA-2013-0165.html",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "10.01.2013",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "24.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "06.06.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-03304",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2013-0422",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat Enterprise Linux, Red Hat Enterprise Linux Server, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server, Ubuntu, Java Runtime Environment, Red Hat Enterprise Linux Workstation",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Red Hat Inc. Red Hat Enterprise Linux Desktop 6 , Red Hat Inc. Red Hat Enterprise Linux Desktop 5 , Red Hat Inc. Red Hat Enterprise Linux Server 6 , Novell Inc. Suse Linux Enterprise Desktop 12 SP3 , Novell Inc. Suse Linux Enterprise Desktop 12 SP4 , Novell Inc. Suse Linux Enterprise Server 12 SP3 , Novell Inc. Suse Linux Enterprise Server 12 SP4 , Novell Inc. Suse Linux Enterprise Server 12 SP5 , Novell Inc. Suse Linux Enterprise Desktop 12 SP2 , Novell Inc. Suse Linux Enterprise Server 12 SP2 , Novell Inc. Suse Linux Enterprise Server 12 SP1 , Novell Inc. Suse Linux Enterprise Desktop 11 SP2 , Novell Inc. Suse Linux Enterprise Server 11 SP2 , Novell Inc. Suse Linux Enterprise Server 11 SP3 , Novell Inc. Suse Linux Enterprise Desktop 12 , Red Hat Inc. Red Hat Enterprise Linux Server 5 , Novell Inc. Suse Linux Enterprise Server 12 , Canonical Ltd. Ubuntu 12.10 , Red Hat Inc. Red Hat Enterprise Linux Workstation 6.0 , Red Hat Inc. Red Hat Enterprise Linux Workstation 5.0 ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u0435\u0442\u043e\u0434\u0430 getMBeanInstantiator \u0432 \u043a\u043b\u0430\u0441\u0441\u0435 JmxMBeanServer \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Java Runtime Environment, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u044f, \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c (CWE-264)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u0435\u0442\u043e\u0434\u0430 getMBeanInstantiator \u0432 \u043a\u043b\u0430\u0441\u0441\u0435 JmxMBeanServer \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Java Runtime Environment \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u0440\u0430\u0437\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0417\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog\nhttp://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html \nhttp://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/ \nhttp://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html \nhttp://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ \nhttp://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ \nhttp://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html \nhttp://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html \nhttp://rhn.redhat.com/errata/RHSA-2013-0156.html \nhttps://www.suse.com/security/cve/CVE-2013-0422.html\nhttp://rhn.redhat.com/errata/RHSA-2013-0165.html \nhttp://seclists.org/bugtraq/2013/Jan/48 \nhttp://www.kb.cert.org/vuls/id/625617\nhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:095 \nhttp://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html \nhttp://www.ubuntu.com/usn/USN-1693-1 \nhttp://www.us-cert.gov/cas/techalerts/TA13-010A.html\nhttps://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf \nhttps://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013 \nhttps://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018 \nhttps://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us\nhttps://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438/\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-264",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle Java versions ant\u00e9rieures \u00e0 1.6.41",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle Java versions ant\u00e9rieures \u00e0 1.7.15",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2013-1485",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-1485"
    },
    {
      "name": "CVE-2013-0422",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-0422"
    },
    {
      "name": "CVE-2013-0169",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-0169"
    },
    {
      "name": "CVE-2013-1484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-1484"
    },
    {
      "name": "CVE-2013-1486",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-1486"
    },
    {
      "name": "CVE-2013-1487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2013-1487"
    }
  ],
  "initial_release_date": "2013-02-20T00:00:00",
  "last_revision_date": "2013-02-20T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle JavaCPUFeb2013Update du 19    f\u00e9vrier 2013",
      "url": "http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html"
    }
  ],
  "reference": "CERTA-2013-AVI-142",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2013-02-20T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eOracle Java\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance au moyen de pages\nWeb sp\u00e9cialement con\u00e7ues. Elles permettent de d\u00e9sactiver la sandbox (\n\u003cspan class=\"textit\"\u003eSecurity Manager\u003c/span\u003e ).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Java",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Oracle JavaCPUFeb2013Update du 19 f\u00e9vrier 2013",
      "url": null
    }
  ]
}