CVE-2013-0402 - OpenCVE

Heap-based buffer overflow in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via unspecified vectors related to JavaFX, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Javafx Jdk Jre
Redhat	Rhel Extras

Configuration 1 [-]

cpe:2.3:a:oracle:javafx:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:jdk:1.7.0:update17::::::
	cpe:2.3:a:oracle:jre:1.7.0:update17::::::

Package	CPE	Advisory	Released Date
Supplementary for Red Hat Enterprise Linux 5
java-1.7.0-oracle-1:1.7.0.21-1jpp.1.el5	cpe:/a:redhat:rhel_extras:5	RHSA-2013:0757	2013-04-18T00:00:00Z
Supplementary for Red Hat Enterprise Linux 6
java-1.7.0-oracle-1:1.7.0.21-1jpp.1.el6	cpe:/a:redhat:rhel_extras:6	RHSA-2013:0757	2013-04-18T00:00:00Z

References

Link	Providers
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157
http://rhn.redhat.com/errata/RHSA-2013-0757.html
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
http://www.us-cert.gov/ncas/alerts/TA13-107A
http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/
https://nvd.nist.gov/vuln/detail/CVE-2013-0402
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15728
https://twitter.com/thezdi/status/309484730506698752
https://www.cve.org/CVERecord?id=CVE-2013-0402

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2013-03-08T18:00:00

Updated: 2024-08-06T14:25:09.528Z

Reserved: 2012-12-07T00:00:00

Link: CVE-2013-0402

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-03-08T18:55:01.567

Modified: 2017-09-19T01:35:38.073

Link: CVE-2013-0402

Redhat

Severity : Critical

Publid Date: 2013-03-06T00:00:00Z

Links: CVE-2013-0402 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-03-06T00:00:00", "descriptions": [{"lang": "en", "value": "Heap-based buffer overflow in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via unspecified vectors related to JavaFX, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-18T12:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://twitter.com/thezdi/status/309484730506698752"}, {"name": "TA13-107A", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A"}, {"name": "RHSA-2013:0757", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html"}, {"name": "oval:org.mitre.oval:def:15728", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15728"}, {"tags": ["x_refsource_MISC"], "url": "http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"}, {"tags": ["x_refsource_MISC"], "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2013-0402", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Heap-based buffer overflow in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via unspecified vectors related to JavaFX, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://twitter.com/thezdi/status/309484730506698752", "refsource": "MISC", "url": "https://twitter.com/thezdi/status/309484730506698752"}, {"name": "TA13-107A", "refsource": "CERT", "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A"}, {"name": "RHSA-2013:0757", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html"}, {"name": "oval:org.mitre.oval:def:15728", "refsource": "OVAL", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15728"}, {"name": "http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/", "refsource": "MISC", "url": "http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/"}, {"name": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"}, {"name": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157", "refsource": "MISC", "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T14:25:09.528Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/thezdi/status/309484730506698752"}, {"name": "TA13-107A", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A"}, {"name": "RHSA-2013:0757", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html"}, {"name": "oval:org.mitre.oval:def:15728", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15728"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2013-0402", "datePublished": "2013-03-08T18:00:00", "dateReserved": "2012-12-07T00:00:00", "dateUpdated": "2024-08-06T14:25:09.528Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:javafx:*:*:*:*:*:*:*:*", "matchCriteriaId": "42C5A003-20C4-48E9-96B3-6C4A0C29E6F2", "versionEndIncluding": "2.2.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*", "matchCriteriaId": "130849CD-A581-4FE6-B2AA-99134F16FE65", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*", "matchCriteriaId": "37B5B98B-0E41-4397-8AB0-C18C6F10AED1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap-based buffer overflow in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to execute arbitrary code via unspecified vectors related to JavaFX, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013."}, {"lang": "es", "value": "Un desbordamiento de b\u00fafer basado en memoria din\u00e1mica ('heap') en Oracle Java 7 Update v17 y posiblemente otras versiones, permite a atacantes remotos ejecutar c\u00f3digo de su elecci\u00f3n a trav\u00e9s de vectores no especificados, como fue demostrado por VUPEN durante el concurso Pwn2Own en CanSecWest 2013."}], "id": "CVE-2013-0402", "lastModified": "2017-09-19T01:35:38.073", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-03-08T18:55:01.567", "references": [{"source": "secalert_us@oracle.com", "url": "http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2013/ba-p/5981157"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0757.html"}, {"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"}, {"source": "secalert_us@oracle.com", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/ncas/alerts/TA13-107A"}, {"source": "secalert_us@oracle.com", "url": "http://www.zdnet.com/pwn2own-down-go-all-the-browsers-7000012283/"}, {"source": "secalert_us@oracle.com", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15728"}, {"source": "secalert_us@oracle.com", "url": "https://twitter.com/thezdi/status/309484730506698752"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}