CVE-2013-2423
Summary
| CVE | CVE-2013-2423 |
|---|---|
| State | PUBLISHED |
| Assigner | oracle |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2013-04-17 18:55:07 UTC |
| Updated | 2026-04-22 13:06:26 UTC |
| Description | Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager. |
Risk And Classification
Primary CVSS: v3.1 3.7 LOW from ADP
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.933970000 probability, percentile 0.998180000 (date 2026-04-24)
CISA KEV: Listed on 2022-05-25; due 2022-06-15; ransomware use Unknown
Problem Types: NVD-CWE-noinfo | CWE-284 | n/a | CWE-284 CWE-284 Improper Access Control
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 2.0 | [email protected] | Primary | 4.3 | AV:N/AC:M/Au:N/C:N/I:P/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:N/AC:M/Au:N/C:N/I:P/A:N
CISA Known Exploited Vulnerability
| Vendor | Oracle |
|---|---|
| Product | Java Runtime Environment (JRE) |
| Name | Oracle JRE Unspecified Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2013-2423 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 12.10 | All | All | All |
| Operating System | Opensuse | Opensuse | 12.3 | All | All | All |
| Application | Oracle | Jre | 1.7.0 | - | All | All |
| Application | Oracle | Jre | 1.7.0 | update1 | All | All |
| Application | Oracle | Jre | 1.7.0 | update10 | All | All |
| Application | Oracle | Jre | 1.7.0 | update11 | All | All |
| Application | Oracle | Jre | 1.7.0 | update13 | All | All |
| Application | Oracle | Jre | 1.7.0 | update15 | All | All |
| Application | Oracle | Jre | 1.7.0 | update2 | All | All |
| Application | Oracle | Jre | 1.7.0 | update3 | All | All |
| Application | Oracle | Jre | 1.7.0 | update4 | All | All |
| Application | Oracle | Jre | 1.7.0 | update5 | All | All |
| Application | Oracle | Jre | 1.7.0 | update6 | All | All |
| Application | Oracle | Jre | 1.7.0 | update7 | All | All |
| Application | Oracle | Jre | 1.7.0 | update9 | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| GNU/Andrew’s Blog » [SECURITY] IcedTea 2.3.9 for OpenJDK 7 Released! | af854a3a-2127-422b-91ae-364da2661108 | blog.fuseyism.com | Broken Link |
| jdk7u/jdk7u-dev/jdk: changeset 6014:b453d9be6b3f | af854a3a-2127-422b-91ae-364da2661108 | hg.openjdk.java.net | Patch |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | Broken Link |
| Support/Advisories/MGASA-2013-0130 - Mageia wiki | af854a3a-2127-422b-91ae-364da2661108 | wiki.mageia.org | Third Party Advisory |
| Support / Security / Advisories / / MDVSA-2013:161 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | Third Party Advisory |
| Oracle Java SE Critical Patch Update - April 2013 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Vendor Advisory |
| IKVM.NET Weblog - Java 7 Update 21 | af854a3a-2127-422b-91ae-364da2661108 | weblog.ikvm.net | Broken Link |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | Third Party Advisory |
| Bug 952398 – CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677) | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | Issue Tracking |
| Oracle Has Released Multiple Updates for Java SE | US-CERT | af854a3a-2127-422b-91ae-364da2661108 | www.us-cert.gov | Third Party Advisory, US Government Resource |
| Gentoo Linux Documentation -- IcedTea JDK: Multiple vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| USN-1806-1: OpenJDK 7 vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | Third Party Advisory |
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | US Government Resource |
| Java Applet Reflection Type Confusion Remote Code Execution | af854a3a-2127-422b-91ae-364da2661108 | www.exploit-db.com | Third Party Advisory, VDB Entry |
| openSUSE-SU-2013:0964-1: moderate: update for java-1_7_0-openjdk | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Third Party Advisory |
| Java is So Confusing... - SpiderLabs Anterior | af854a3a-2127-422b-91ae-364da2661108 | blog.spiderlabs.com | Not Applicable |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2022-05-25T00:00:00.000Z | CVE-2013-2423 added to CISA KEV |
There are currently no legacy QID mappings associated with this CVE.