{"api_version":"1","generated_at":"2026-04-24T19:58:27+00:00","cve":"CVE-2013-0422","urls":{"html":"https://cve.report/CVE-2013-0422","api":"https://cve.report/api/cve/CVE-2013-0422.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2013-0422","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2013-0422"},"summary":{"title":"CVE-2013-0422","description":"Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.","state":"PUBLISHED","assigner":"oracle","published_at":"2013-01-10 21:55:00","updated_at":"2026-04-21 19:02:35"},"problem_types":["NVD-CWE-Other","CWE-284","n/a","CWE-284 CWE-284 Improper Access Control"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"10","severity":"","vector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","baseScore":10,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"}}],"references":[{"url":"http://www.ubuntu.com/usn/USN-1693-1","name":"http://www.ubuntu.com/usn/USN-1693-1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"USN-1693-1: OpenJDK 7 vulnerabilities | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.kb.cert.org/vuls/id/625617","name":"http://www.kb.cert.org/vuls/id/625617","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"],"title":"Vulnerability Note VU#625617 - Java 7 fails to restrict access to privileged code","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018","name":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Support/Advisories/MGASA-2013-0018 - Mageia wiki","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:095","name":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:095","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Not Applicable"],"title":"Support / Security / Advisories /  / MDVSA-2013:095 | Mandriva","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/","name":"http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link"],"title":"GNU/Andrew’s Blog » [SECURITY] IcedTea 2.1.4, 2.2.4 & 2.3.4 Released!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013","name":"https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Not Applicable"],"title":"Threatpost | The first stop for security news","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html","name":"http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Immunity Products: Confirmed: Java only fixed one of the two bugs.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0422","name":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0422","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html","name":"http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"Oracle Security Alert CVE-2013-0422","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us","name":"https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Not Applicable"],"title":"IBM Product Security Incident Response Team","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.us-cert.gov/cas/techalerts/TA13-010A.html","name":"http://www.us-cert.gov/cas/techalerts/TA13-010A.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"],"title":"Oracle Java 7 Security Manager Bypass Vulnerability | US-CERT","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0165.html","name":"http://rhn.redhat.com/errata/RHSA-2013-0165.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/","name":"http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Zero-Day Java Exploit Debuts in Crimeware —  Krebs on Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html","name":"http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2013:0199-1: critical: java-1_7_0-openjd","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/bugtraq/2013/Jan/48","name":"http://seclists.org/bugtraq/2013/Jan/48","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"Bugtraq: [SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/","name":"http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory"],"title":"New year, new Java zeroday! | AlienVault","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0156.html","name":"http://rhn.redhat.com/errata/RHSA-2013-0156.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html","name":"http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Malware don't need Coffee: 0 day 1.7u10 (CVE-2013-0422) spotted in the Wild - Disable Java Plugin NOW !","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html","name":"http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Not Applicable"],"title":"FireEye Blog | Threat Research, Analysis, and Mitigation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf","name":"https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link"],"title":"","mime":"application/pdf","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2013-0422","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-0422","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[{"source":"ADP","time":"2022-05-25T00:00:00.000Z","lang":"en","value":"CVE-2013-0422 added to CISA KEV"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"12.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"opensuse","cpe6":"12.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"update1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"update10","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"update2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"update3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"update4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"update5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"update6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"update7","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jdk","cpe6":"1.7.0","cpe7":"update9","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update10","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update7","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"422","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update9","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2013","cve_id":"422","cve":"CVE-2013-0422","vendorProject":"Oracle","product":"Java Runtime Environment (JRE)","vulnerabilityName":"Oracle JRE Remote Code Execution Vulnerability","dateAdded":"2022-05-25","shortDescription":"A vulnerability in the way Java restricts the permissions of Java applets could allow an attacker to execute commands on a vulnerable system.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-06-15","knownRansomwareCampaignUse":"Unknown","notes":"https://nvd.nist.gov/vuln/detail/CVE-2013-0422","cwes":"CWE-264","catalogVersion":"2026.04.24","updated_at":"2026-04-24 17:59:33"},"epss":{"cve_year":"2013","cve_id":"422","cve":"CVE-2013-0422","epss":"0.936140000","percentile":"0.998390000","score_date":"2026-04-23","updated_at":"2026-04-24 00:02:52"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T14:25:10.233Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"RHSA-2013:0156","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"http://rhn.redhat.com/errata/RHSA-2013-0156.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html"},{"name":"MDVSA-2013:095","tags":["vendor-advisory","x_refsource_MANDRIVA","x_transferred"],"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:095"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/"},{"name":"openSUSE-SU-2013:0199","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html"},{"name":"RHSA-2013:0165","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"http://rhn.redhat.com/errata/RHSA-2013-0165.html"},{"name":"VU#625617","tags":["third-party-advisory","x_refsource_CERT-VN","x_transferred"],"url":"http://www.kb.cert.org/vuls/id/625617"},{"name":"TA13-010A","tags":["third-party-advisory","x_refsource_CERT","x_transferred"],"url":"http://www.us-cert.gov/cas/techalerts/TA13-010A.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us"},{"name":"USN-1693-1","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"http://www.ubuntu.com/usn/USN-1693-1"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013"},{"name":"20130110 [SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"http://seclists.org/bugtraq/2013/Jan/48"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2013-0422","options":[{"Exploitation":"active"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-02-10T19:51:35.331536Z","version":"2.0.3"},"type":"ssvc"}},{"other":{"content":{"dateAdded":"2022-05-25","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0422"},"type":"kev"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-284","description":"CWE-284 Improper Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-10-22T00:05:44.798Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["government-resource"],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0422"}],"timeline":[{"lang":"en","time":"2022-05-25T00:00:00.000Z","value":"CVE-2013-0422 added to CISA KEV"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2013-01-10T00:00:00.000Z","descriptions":[{"lang":"en","value":"Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2014-02-19T14:57:03.000Z","orgId":"43595867-4340-4103-b7a2-9a5208d29a85","shortName":"oracle"},"references":[{"name":"RHSA-2013:0156","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"http://rhn.redhat.com/errata/RHSA-2013-0156.html"},{"tags":["x_refsource_MISC"],"url":"http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html"},{"name":"MDVSA-2013:095","tags":["vendor-advisory","x_refsource_MANDRIVA"],"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:095"},{"tags":["x_refsource_MISC"],"url":"http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/"},{"name":"openSUSE-SU-2013:0199","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html"},{"name":"RHSA-2013:0165","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"http://rhn.redhat.com/errata/RHSA-2013-0165.html"},{"name":"VU#625617","tags":["third-party-advisory","x_refsource_CERT-VN"],"url":"http://www.kb.cert.org/vuls/id/625617"},{"name":"TA13-010A","tags":["third-party-advisory","x_refsource_CERT"],"url":"http://www.us-cert.gov/cas/techalerts/TA13-010A.html"},{"tags":["x_refsource_MISC"],"url":"https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf"},{"tags":["x_refsource_MISC"],"url":"http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html"},{"tags":["x_refsource_MISC"],"url":"https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us"},{"name":"USN-1693-1","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"http://www.ubuntu.com/usn/USN-1693-1"},{"tags":["x_refsource_CONFIRM"],"url":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018"},{"tags":["x_refsource_MISC"],"url":"http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html"},{"tags":["x_refsource_MISC"],"url":"https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013"},{"name":"20130110 [SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"http://seclists.org/bugtraq/2013/Jan/48"},{"tags":["x_refsource_CONFIRM"],"url":"http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html"},{"tags":["x_refsource_MISC"],"url":"http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/"},{"tags":["x_refsource_MISC"],"url":"http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"secalert_us@oracle.com","ID":"CVE-2013-0422","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"RHSA-2013:0156","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2013-0156.html"},{"name":"http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html","refsource":"MISC","url":"http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html"},{"name":"MDVSA-2013:095","refsource":"MANDRIVA","url":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:095"},{"name":"http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/","refsource":"MISC","url":"http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/"},{"name":"openSUSE-SU-2013:0199","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html"},{"name":"RHSA-2013:0165","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2013-0165.html"},{"name":"VU#625617","refsource":"CERT-VN","url":"http://www.kb.cert.org/vuls/id/625617"},{"name":"TA13-010A","refsource":"CERT","url":"http://www.us-cert.gov/cas/techalerts/TA13-010A.html"},{"name":"https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf","refsource":"MISC","url":"https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf"},{"name":"http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html","refsource":"MISC","url":"http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html"},{"name":"https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us","refsource":"MISC","url":"https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us"},{"name":"USN-1693-1","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-1693-1"},{"name":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018","refsource":"CONFIRM","url":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0018"},{"name":"http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html","refsource":"MISC","url":"http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html"},{"name":"https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013","refsource":"MISC","url":"https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013"},{"name":"20130110 [SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code","refsource":"BUGTRAQ","url":"http://seclists.org/bugtraq/2013/Jan/48"},{"name":"http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html","refsource":"CONFIRM","url":"http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html"},{"name":"http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/","refsource":"MISC","url":"http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/"},{"name":"http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/","refsource":"MISC","url":"http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/"}]}}}},"cveMetadata":{"assignerOrgId":"43595867-4340-4103-b7a2-9a5208d29a85","assignerShortName":"oracle","cveId":"CVE-2013-0422","datePublished":"2013-01-10T21:23:00.000Z","dateReserved":"2012-12-07T00:00:00.000Z","dateUpdated":"2025-10-22T00:05:44.798Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2013-01-10 21:55:00","lastModifiedDate":"2026-04-21 19:02:35","problem_types":["NVD-CWE-Other","CWE-284","n/a","CWE-284 CWE-284 Improper Access Control"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","baseScore":10,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:-:*:*:*:*:*:*","matchCriteriaId":"ACABC935-5DD6-4F85-992E-70AD517EF41D"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*","matchCriteriaId":"6152036D-6421-4AE4-9223-766FE07B5A44"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*","matchCriteriaId":"FE8B0935-6637-413D-B896-28E0ED7F2CEC"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*","matchCriteriaId":"D375CECB-405C-4E18-A7E8-9C5A2F97BD69"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*","matchCriteriaId":"52EEEA5A-E77C-43CF-A063-9D5C64EA1870"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*","matchCriteriaId":"003746F6-DEF0-4D0F-AD97-9E335868E301"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*","matchCriteriaId":"CF830E0E-0169-4B6A-81FF-2E9FCD7D913B"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*","matchCriteriaId":"6BAE3670-0938-480A-8472-DFF0B3A0D0BF"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*","matchCriteriaId":"0EC967FF-26A6-4498-BC09-EC23B2B75CBA"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*","matchCriteriaId":"02781457-4E40-46A9-A5F7-945232A8C2B1"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*","matchCriteriaId":"DFAA351A-93CD-46A8-A480-CE2783CCD620"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*","matchCriteriaId":"F4B153FD-E20B-4909-8B10-884E48F5B590"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*","matchCriteriaId":"F21933FB-A27C-4AF3-9811-2DE28484A5A6"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*","matchCriteriaId":"CB106FA9-26CE-48C5-AEA5-FD1A5454AEE2"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*","matchCriteriaId":"5831D70B-3854-4CB8-B88D-40F1743DAEE0"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*","matchCriteriaId":"EEB101C9-CA38-4421-BC0C-C1AD47AA2CC9"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*","matchCriteriaId":"BA302DF3-ABBB-4262-B206-4C0F7B5B1E91"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*","matchCriteriaId":"F9A8EBCB-5E6A-42F0-8D07-F3A3D1C850F0"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*","matchCriteriaId":"0CD8A54E-185B-4D34-82EF-C0C05739EC12"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*","matchCriteriaId":"4FFC7F0D-1F32-4235-8359-277CE41382DF"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*","matchCriteriaId":"E2076871-2E80-4605-A470-A41C1A8EC7EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*","matchCriteriaId":"D806A17E-B8F9-466D-807D-3F1E77603DC8"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2013","CveId":"422","Ordinal":"1","Title":"CVE-2013-0422","CVE":"CVE-2013-0422","Year":"2013"},"notes":[{"CveYear":"2013","CveId":"422","Ordinal":"1","NoteData":"Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using the public getMBeanInstantiator method in the JmxMBeanServer class to obtain a reference to a private MBeanInstantiator object, then retrieving arbitrary Class references using the findClass method, and (2) using the Reflection API with recursion in a way that bypasses a security check by the java.lang.invoke.MethodHandles.Lookup.checkSecurityManager method due to the inability of the sun.reflect.Reflection.getCallerClass method to skip frames related to the new reflection API, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681 and CVE-2012-3174. NOTE: some parties have mapped the recursive Reflection API issue to CVE-2012-3174, but CVE-2012-3174 is for a different vulnerability whose details are not public as of 20130114.  CVE-2013-0422 covers both the JMX/MBean and Reflection API issues.  NOTE: it was originally reported that Java 6 was also vulnerable, but the reporter has retracted this claim, stating that Java 6 is not exploitable because the relevant code is called in a way that does not bypass security checks.  NOTE: as of 20130114, a reliable third party has claimed that the findClass/MBeanInstantiator vector was not fixed in Oracle Java 7 Update 11.  If there is still a vulnerable condition, then a separate CVE identifier might be created for the unfixed issue.","Type":"Description","Title":"CVE-2013-0422"},{"CveYear":"2013","CveId":"422","Ordinal":"2","NoteData":"2013-01-10","Type":"Other","Title":"Published"},{"CveYear":"2013","CveId":"422","Ordinal":"3","NoteData":"2014-02-19","Type":"Other","Title":"Modified"}]}}}