{"api_version":"1","generated_at":"2026-04-22T21:37:07+00:00","cve":"CVE-2013-1777","urls":{"html":"https://cve.report/CVE-2013-1777","api":"https://cve.report/api/cve/CVE-2013-1777.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2013-1777","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2013-1777"},"summary":{"title":"CVE-2013-1777","description":"The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2013-07-11 22:55:00","updated_at":"2014-04-01 06:19:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"https://issues.apache.org/jira/browse/GERONIMO-6477","name":"https://issues.apache.org/jira/browse/GERONIMO-6477","refsource":"CONFIRM","tags":[],"title":"[GERONIMO-6477] Misconfigured RMI classloader - ASF JIRA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://geronimo.apache.org/30x-security-report.html","name":"http://geronimo.apache.org/30x-security-report.html","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Apache Geronimo : 3.0.x Security Report","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://archives.neohapsis.com/archives/bugtraq/2013-07/0008.html","name":"20130701 [SECURITY] CVE-2013-1777: Apache Geronimo 3 RMI classloader exposure","refsource":"BUGTRAQ","tags":[],"title":"NEOHAPSIS - Peace of Mind Through Integrity and Insight","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www-01.ibm.com/support/docview.wss?uid=swg21643282","name":"http://www-01.ibm.com/support/docview.wss?uid=swg21643282","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"IBM Security Bulletin: WebSphere Application Server Community Edition 3.0.0.3 RMI classloader exposure - United States","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2013-1777","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-1777","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2013","cve_id":"1777","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1777","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"3.0","cpe7":"beta1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1777","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"3.0","cpe7":"m1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1777","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"3.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1777","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"3.0","cpe7":"beta1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1777","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"geronimo","cpe6":"3.0","cpe7":"m1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1777","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"websphere_application_server","cpe6":"3.0.0.3","cpe7":"-","cpe8":"community","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"1777","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"websphere_application_server","cpe6":"3.0.0.3","cpe7":"-","cpe8":"community","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2013-1777","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_affected":"=","version_value":"n/a"}]}}]}}]}},"references":{"reference_data":[{"url":"http://archives.neohapsis.com/archives/bugtraq/2013-07/0008.html","refsource":"MISC","name":"http://archives.neohapsis.com/archives/bugtraq/2013-07/0008.html"},{"url":"http://geronimo.apache.org/30x-security-report.html","refsource":"MISC","name":"http://geronimo.apache.org/30x-security-report.html"},{"url":"http://www-01.ibm.com/support/docview.wss?uid=swg21643282","refsource":"MISC","name":"http://www-01.ibm.com/support/docview.wss?uid=swg21643282"},{"url":"https://issues.apache.org/jira/browse/GERONIMO-6477","refsource":"MISC","name":"https://issues.apache.org/jira/browse/GERONIMO-6477"}]}},"nvd":{"publishedDate":"2013-07-11 22:55:00","lastModifiedDate":"2014-04-01 06:19:00","problem_types":["CWE-94"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":10},"severity":"HIGH","exploitabilityScore":10,"impactScore":10,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:websphere_application_server:3.0.0.3:-:community:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:3.0:m1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:3.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:geronimo:3.0:beta1:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2013","CveId":"1777","Ordinal":"61404","Title":"CVE-2013-1777","CVE":"CVE-2013-1777","Year":"2013"},"notes":[{"CveYear":"2013","CveId":"1777","Ordinal":"1","NoteData":"The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object.","Type":"Description","Title":null},{"CveYear":"2013","CveId":"1777","Ordinal":"2","NoteData":"2013-07-11","Type":"Other","Title":"Published"},{"CveYear":"2013","CveId":"1777","Ordinal":"3","NoteData":"2014-03-25","Type":"Other","Title":"Modified"}]}}}