{"api_version":"1","generated_at":"2026-04-25T04:31:31+00:00","cve":"CVE-2013-2423","urls":{"html":"https://cve.report/CVE-2013-2423","api":"https://cve.report/api/cve/CVE-2013-2423.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2013-2423","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2013-2423"},"summary":{"title":"CVE-2013-2423","description":"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot.  NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.","state":"PUBLISHED","assigner":"oracle","published_at":"2013-04-17 18:55:07","updated_at":"2026-04-22 13:06:26"},"problem_types":["NVD-CWE-noinfo","CWE-284","n/a","CWE-284 CWE-284 Improper Access Control"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"3.7","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.7,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"3.7","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"}}],"references":[{"url":"http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/","name":"http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link"],"title":"GNU/Andrew’s Blog » [SECURITY] IcedTea 2.3.9 for OpenJDK 7 Released!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f","name":"http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"jdk7u/jdk7u-dev/jdk: changeset 6014:b453d9be6b3f","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700","name":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link"],"title":"Repository  /  Oval Repository","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130","name":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Support/Advisories/MGASA-2013-0130 - Mageia wiki","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:161","name":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:161","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Support / Security / Advisories /  / MDVSA-2013:161 | Mandriva","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html","name":"http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"Oracle Java SE Critical Patch Update - April 2013","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0","name":"http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link"],"title":"IKVM.NET Weblog - Java 7 Update 21","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0757.html","name":"http://rhn.redhat.com/errata/RHSA-2013-0757.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2013-0752.html","name":"http://rhn.redhat.com/errata/RHSA-2013-0752.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=952398","name":"https://bugzilla.redhat.com/show_bug.cgi?id=952398","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking"],"title":"Bug 952398 – CVE-2013-2423 OpenJDK: incorrect setter access checks in MethodHandles (Hostspot, 8009677)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.us-cert.gov/ncas/alerts/TA13-107A","name":"http://www.us-cert.gov/ncas/alerts/TA13-107A","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","US Government Resource"],"title":"Oracle Has Released Multiple Updates for Java SE | US-CERT","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://security.gentoo.org/glsa/glsa-201406-32.xml","name":"http://security.gentoo.org/glsa/glsa-201406-32.xml","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Gentoo Linux Documentation\n--\n  IcedTea JDK: Multiple vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-1806-1","name":"http://www.ubuntu.com/usn/USN-1806-1","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"USN-1806-1: OpenJDK 7 vulnerabilities | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2423","name":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2423","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://www.exploit-db.com/exploits/24976","name":"http://www.exploit-db.com/exploits/24976","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"],"title":"Java Applet Reflection Type Confusion Remote Code Execution","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html","name":"http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"openSUSE-SU-2013:0964-1: moderate: update for java-1_7_0-openjdk","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html","name":"http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Not Applicable"],"title":"Java is So Confusing... - SpiderLabs Anterior","mime":"text/html","httpstatus":"404","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2013-2423","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-2423","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[{"source":"ADP","time":"2022-05-25T00:00:00.000Z","lang":"en","value":"CVE-2013-2423 added to CISA KEV"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"12.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"opensuse","cpe6":"12.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update10","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update11","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update13","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update15","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update7","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"2423","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"jre","cpe6":"1.7.0","cpe7":"update9","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2013","cve_id":"2423","cve":"CVE-2013-2423","vendorProject":"Oracle","product":"Java Runtime Environment (JRE)","vulnerabilityName":"Oracle JRE Unspecified Vulnerability","dateAdded":"2022-05-25","shortDescription":"Unspecified vulnerability in hotspot for Java Runtime Environment (JRE) allows remote attackers to affect integrity.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-06-15","knownRansomwareCampaignUse":"Unknown","notes":"https://nvd.nist.gov/vuln/detail/CVE-2013-2423","cwes":"","catalogVersion":"2026.04.24","updated_at":"2026-04-24 17:59:33"},"epss":{"cve_year":"2013","cve_id":"2423","cve":"CVE-2013-2423","epss":"0.933970000","percentile":"0.998180000","score_date":"2026-04-24","updated_at":"2026-04-25 00:14:37"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T15:36:46.423Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"GLSA-201406-32","tags":["vendor-advisory","x_refsource_GENTOO","x_transferred"],"url":"http://security.gentoo.org/glsa/glsa-201406-32.xml"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0"},{"name":"TA13-107A","tags":["third-party-advisory","x_refsource_CERT","x_transferred"],"url":"http://www.us-cert.gov/ncas/alerts/TA13-107A"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130"},{"name":"RHSA-2013:0757","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"http://rhn.redhat.com/errata/RHSA-2013-0757.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f"},{"name":"24976","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"http://www.exploit-db.com/exploits/24976"},{"name":"MDVSA-2013:161","tags":["vendor-advisory","x_refsource_MANDRIVA","x_transferred"],"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:161"},{"name":"openSUSE-SU-2013:0964","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html"},{"name":"RHSA-2013:0752","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"http://rhn.redhat.com/errata/RHSA-2013-0752.html"},{"name":"USN-1806-1","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"http://www.ubuntu.com/usn/USN-1806-1"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=952398"},{"name":"oval:org.mitre.oval:def:16700","tags":["vdb-entry","signature","x_refsource_OVAL","x_transferred"],"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.7,"baseSeverity":"LOW","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2013-2423","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-02-10T19:49:17.531608Z","version":"2.0.3"},"type":"ssvc"}},{"other":{"content":{"dateAdded":"2022-05-25","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2423"},"type":"kev"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-284","description":"CWE-284 Improper Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-10-22T00:05:43.126Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["government-resource"],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2423"}],"timeline":[{"lang":"en","time":"2022-05-25T00:00:00.000Z","value":"CVE-2013-2423 added to CISA KEV"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2013-04-16T00:00:00.000Z","descriptions":[{"lang":"en","value":"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot.  NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-09-18T12:57:01.000Z","orgId":"43595867-4340-4103-b7a2-9a5208d29a85","shortName":"oracle"},"references":[{"name":"GLSA-201406-32","tags":["vendor-advisory","x_refsource_GENTOO"],"url":"http://security.gentoo.org/glsa/glsa-201406-32.xml"},{"tags":["x_refsource_MISC"],"url":"http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0"},{"name":"TA13-107A","tags":["third-party-advisory","x_refsource_CERT"],"url":"http://www.us-cert.gov/ncas/alerts/TA13-107A"},{"tags":["x_refsource_CONFIRM"],"url":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130"},{"name":"RHSA-2013:0757","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"http://rhn.redhat.com/errata/RHSA-2013-0757.html"},{"tags":["x_refsource_MISC"],"url":"http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f"},{"name":"24976","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"http://www.exploit-db.com/exploits/24976"},{"name":"MDVSA-2013:161","tags":["vendor-advisory","x_refsource_MANDRIVA"],"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:161"},{"name":"openSUSE-SU-2013:0964","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html"},{"name":"RHSA-2013:0752","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"http://rhn.redhat.com/errata/RHSA-2013-0752.html"},{"name":"USN-1806-1","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"http://www.ubuntu.com/usn/USN-1806-1"},{"tags":["x_refsource_MISC"],"url":"http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=952398"},{"name":"oval:org.mitre.oval:def:16700","tags":["vdb-entry","signature","x_refsource_OVAL"],"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700"},{"tags":["x_refsource_CONFIRM"],"url":"http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"},{"tags":["x_refsource_CONFIRM"],"url":"http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"secalert_us@oracle.com","ID":"CVE-2013-2423","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot.  NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"GLSA-201406-32","refsource":"GENTOO","url":"http://security.gentoo.org/glsa/glsa-201406-32.xml"},{"name":"http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0","refsource":"MISC","url":"http://weblog.ikvm.net/PermaLink.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0"},{"name":"TA13-107A","refsource":"CERT","url":"http://www.us-cert.gov/ncas/alerts/TA13-107A"},{"name":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130","refsource":"CONFIRM","url":"https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0130"},{"name":"RHSA-2013:0757","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2013-0757.html"},{"name":"http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f","refsource":"MISC","url":"http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b453d9be6b3f"},{"name":"24976","refsource":"EXPLOIT-DB","url":"http://www.exploit-db.com/exploits/24976"},{"name":"MDVSA-2013:161","refsource":"MANDRIVA","url":"http://www.mandriva.com/security/advisories?name=MDVSA-2013:161"},{"name":"openSUSE-SU-2013:0964","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-updates/2013-06/msg00099.html"},{"name":"RHSA-2013:0752","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2013-0752.html"},{"name":"USN-1806-1","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-1806-1"},{"name":"http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html","refsource":"MISC","url":"http://blog.spiderlabs.com/2013/04/java-is-so-confusing.html"},{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=952398","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=952398"},{"name":"oval:org.mitre.oval:def:16700","refsource":"OVAL","url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16700"},{"name":"http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html","refsource":"CONFIRM","url":"http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html"},{"name":"http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/","refsource":"CONFIRM","url":"http://blog.fuseyism.com/index.php/2013/04/22/security-icedtea-2-3-9-for-openjdk-7-released/"}]}}}},"cveMetadata":{"assignerOrgId":"43595867-4340-4103-b7a2-9a5208d29a85","assignerShortName":"oracle","cveId":"CVE-2013-2423","datePublished":"2013-04-17T15:00:00.000Z","dateReserved":"2013-03-05T00:00:00.000Z","dateUpdated":"2025-10-22T00:05:43.126Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2013-04-17 18:55:07","lastModifiedDate":"2026-04-22 13:06:26","problem_types":["NVD-CWE-noinfo","CWE-284","n/a","CWE-284 CWE-284 Improper Access Control"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*","matchCriteriaId":"DFAA351A-93CD-46A8-A480-CE2783CCD620"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*","matchCriteriaId":"F4B153FD-E20B-4909-8B10-884E48F5B590"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*","matchCriteriaId":"F21933FB-A27C-4AF3-9811-2DE28484A5A6"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*","matchCriteriaId":"B2B20041-EB5D-4FA4-AC7D-C35E7878BCFD"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*","matchCriteriaId":"F3C3C9C7-73AE-4B1D-AA85-C7F5330A4DE6"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*","matchCriteriaId":"1D8BB8D7-D5EC-42D6-BEAA-CB03D1D6513E"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*","matchCriteriaId":"CB106FA9-26CE-48C5-AEA5-FD1A5454AEE2"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*","matchCriteriaId":"5831D70B-3854-4CB8-B88D-40F1743DAEE0"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*","matchCriteriaId":"EEB101C9-CA38-4421-BC0C-C1AD47AA2CC9"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*","matchCriteriaId":"BA302DF3-ABBB-4262-B206-4C0F7B5B1E91"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*","matchCriteriaId":"F9A8EBCB-5E6A-42F0-8D07-F3A3D1C850F0"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*","matchCriteriaId":"0CD8A54E-185B-4D34-82EF-C0C05739EC12"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*","matchCriteriaId":"4FFC7F0D-1F32-4235-8359-277CE41382DF"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*","matchCriteriaId":"E2076871-2E80-4605-A470-A41C1A8EC7EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*","matchCriteriaId":"DFBF430B-0832-44B0-AA0E-BA9E467F7668"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2013","CveId":"2423","Ordinal":"1","Title":"CVE-2013-2423","CVE":"CVE-2013-2423","Year":"2013"},"notes":[{"CveYear":"2013","CveId":"2423","Ordinal":"1","NoteData":"Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot.  NOTE: the previous information is from the April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.","Type":"Description","Title":"CVE-2013-2423"},{"CveYear":"2013","CveId":"2423","Ordinal":"2","NoteData":"2013-04-17","Type":"Other","Title":"Published"},{"CveYear":"2013","CveId":"2423","Ordinal":"3","NoteData":"2017-09-18","Type":"Other","Title":"Modified"}]}}}