CVE-2012-4540

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2012-4540
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2012-11-11 13:00:00 UTC
Updated2018-10-30 16:27:00 UTC
DescriptionOff-by-one error in the invoke function in IcedTeaScriptablePluginObject.cc in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.x before 1.4.1 allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly execute arbitrary code via a crafted webpage that triggers a heap-based buffer overflow, related to an error message and a "triggering event attached to applet." NOTE: the 1.4.x versions were originally associated with CVE-2013-4349, but that entry has been MERGED with this one.

Risk And Classification

Problem Types: CWE-189

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Opensuse Opensuse 13.1 All All All
Operating System Opensuse Opensuse 13.2 All All All
Operating System Opensuse Opensuse 13.1 All All All
Operating System Opensuse Opensuse 13.2 All All All
Application Redhat Icedtea-web 1.1 All All All
Application Redhat Icedtea-web 1.1.1 All All All
Application Redhat Icedtea-web 1.1.2 All All All
Application Redhat Icedtea-web 1.1.3 All All All
Application Redhat Icedtea-web 1.1.4 All All All
Application Redhat Icedtea-web 1.1.5 All All All
Application Redhat Icedtea-web 1.1.6 All All All
Application Redhat Icedtea-web 1.2 All All All
Application Redhat Icedtea-web 1.2.1 All All All
Application Redhat Icedtea-web 1.3 All All All
Application Redhat Icedtea-web 1.1 All All All
Application Redhat Icedtea-web 1.1.1 All All All
Application Redhat Icedtea-web 1.1.2 All All All
Application Redhat Icedtea-web 1.1.3 All All All
Application Redhat Icedtea-web 1.1.4 All All All
Application Redhat Icedtea-web 1.1.5 All All All
Application Redhat Icedtea-web 1.1.6 All All All
Application Redhat Icedtea-web 1.2 All All All
Application Redhat Icedtea-web 1.2.1 All All All
Application Redhat Icedtea-web 1.3 All All All

References

ReferenceSourceLinkTags
Debian -- Security Information -- DSA-2768-1 icedtea-web DEBIAN www.debian.org
release/icedtea-web-1.2: 596a718be03f CONFIRM icedtea.classpath.org
release/icedtea-web-1.1: d759ec560073 NEWS CONFIRM icedtea.classpath.org
Red Hat Customer Portal REDHAT rhn.redhat.com
IcedTea-Web 1.1.7, 1.2.2 and 1.3.1 [security releases] released! MLIST mail.openjdk.java.net
openSUSE-SU-2013:0174-1: moderate: icedtea-web: update to 1.3.1 (bnc#787 SUSE lists.opensuse.org
Bug 869040 – CVE-2012-4540 icedtea-web: IcedTeaScriptableJavaObject::invoke off-by-one heap-based buffer overflow MISC bugzilla.redhat.com
USN-1625-1: Icedtea-Web vulnerability | Ubuntu UBUNTU www.ubuntu.com
IcedTea-Web CVE-2012-4540 Heap Based Buffer Overflow Vulnerability BID www.securityfocus.com
openSUSE-SU-2013:1509-1: moderate: update for icedtea-web SUSE lists.opensuse.org
IcedTea-Web Heap Overflow in IcedTeaScriptableJavaObject Lets Remote Users Execute Arbitrary Code - SecurityTracker SECTRACK www.securitytracker.com
release/icedtea-web-1.3: e7970f3da5fe CONFIRM icedtea.classpath.org
IcedTea-Web CVE-2013-4349 Heap Based Buffer Overflow Vulnerability BID www.securityfocus.com
Security Advisory SA51220 - Red Hat update for icedtea-web - Secunia SECUNIA secunia.com Vendor Advisory
openSUSE-SU-2012:1524-1: moderate: icedtea-web: update to 1.3.1 (bnc#787 SUSE lists.opensuse.org
oss-security - IcedTea-Web CVE-2012-4540 MLIST www.openwall.com
openSUSE-SU-2013:1511-1: moderate: update for icedtea-web SUSE lists.opensuse.org
Security Advisory SA51206 - Ubuntu update for icedtea-web - Secunia SECUNIA secunia.com Vendor Advisory
Support / Security / Advisories / / MDVSA-2012:171 | Mandriva MANDRIVA www.mandriva.com
Gentoo Linux Documentation -- IcedTea JDK: Multiple vulnerabilities GENTOO security.gentoo.org
About Secunia Research | Flexera SECUNIA secunia.com
IBM X-Force Exchange XF exchange.xforce.ibmcloud.com
IcedTea-Web 1.4.1 released! MLIST mail.openjdk.java.net
1007960 – (CVE-2013-4349) CVE-2013-4349 icedtea-web: CVE-2012-4540 issue not fixed in 1.4 CONFIRM bugzilla.redhat.com
[security-announce] openSUSE-SU-2015:1595-1: important: Security update SUSE lists.opensuse.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report