CVE-2009-2672

critical

Description

The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to browser cookies by untrusted (1) applets and (2) Java Web Start applications, which allows remote attackers to hijack web sessions via unspecified vectors.

References

https://rhn.redhat.com/errata/RHSA-2009-1201.html

https://rhn.redhat.com/errata/RHSA-2009-1200.html

https://rhn.redhat.com/errata/RHSA-2009-1199.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9359

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7723

https://exchange.xforce.ibmcloud.com/vulnerabilities/52337

http://www.vupen.com/english/advisories/2009/3316

http://www.vupen.com/english/advisories/2009/2543

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.us-cert.gov/cas/techalerts/TA09-294A.html

http://www.securitytracker.com/id?1022659

http://www.securityfocus.com/bid/35943

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263409-1

http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1

http://security.gentoo.org/glsa/glsa-200911-02.xml

http://secunia.com/advisories/37460

http://secunia.com/advisories/37386

http://secunia.com/advisories/37300

http://secunia.com/advisories/36248

http://secunia.com/advisories/36199

http://secunia.com/advisories/36180

http://secunia.com/advisories/36176

http://marc.info/?l=bugtraq&m=125787273209737&w=2

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00003.html

http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html

http://java.sun.com/javase/6/webnotes/6u15.html

http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_20

Details

Source: Mitre, NVD

Published: 2009-08-05

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical