CVE-2008-5353

Currently unrated

Key Information:

Vendor: Oracle
Status: Jdk; Jre; Sdk
Vendor: CVE Published:; 5 December 2008

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 97%

Summary

The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Metasploit exploit module for CVE-2008-5353
Created by Rapid7

References

http://marc.info/?l=bugtraq&m=126583436323697&w=2

vendor-advisoryx_refsource_HP

http://lists.opensuse.org/opensuse-security-announce/2009...

vendor-advisoryx_refsource_SUSE

http://secunia.com/advisories/34259

third-party-advisoryx_refsource_SECUNIA

EPSS Score

97% chance of being exploited in the next 30 days.

Timeline

🟡
Public PoC available
Jul 20, 2010
👾
Exploit known to exist
Jul 20, 2010
Vulnerability published
Dec 5, 2008
Vulnerability Reserved
Dec 4, 2008