Security Flaw in Oracle Java SE and JRockit Products Compromising User Data
CVE-2017-3252

5.8MEDIUM

Key Information:

Vendor
Oracle
Status
Java Javase:6u131;7u121;8u112;javaseembedded:8u111;jrockit:r28.3.12
Vendor
CVE Published:
27 January 2017

Summary

A vulnerability exists in the JAAS component of Oracle's Java SE and JRockit, permitting a low-privilege attacker with network access through various protocols to exploit the system. This flaw can lead to unauthorized creation, deletion, or modification of critical data by compromising user sessions. Attacks may be executed through both sandboxed Java Web Start applications and APIs, impacting any application utilizing the affected Java components. The vulnerability can also significantly affect client and server deployments, making it essential to apply available security updates promptly.

Affected Version(s)

Java JavaSE:6u131;7u121;8u112;JavaSEEmbedded:8u111;JRockit:R28.3.12 Java JavaSE:6u131;7u121;8u112;JavaSEEmbedded:8u111;JRockit:R28.3.12

References

http://rhn.redhat.com/errata/RHSA-2017-0338.html
vendor-advisoryx_refsource_REDHAT
http://www.debian.org/security/2017/dsa-3782
vendor-advisoryx_refsource_DEBIAN
http://rhn.redhat.com/errata/RHSA-2017-0176.html
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.