Skip to main content

Oracle JRE CVE-2013-2460

CRITICAL
2013-06-18 secalert_us@oracle.com
9.3
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:M/Au:N/C:C/I:C/A:C

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:M/Au:N/C:C/I:C/A:C
Attack Vector
Network
Attack Complexity
M
Confidentiality
C
Integrity
C
Availability
C

Lifecycle Timeline

5
Analysis Updated
Apr 29, 2026 - 01:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 29, 2026 - 01:42 vuln.today
cvss_changed
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
PoC Detected
Apr 11, 2025 - 00:51 vuln.today
Public exploit code
CVE Published
Jun 18, 2013 - 22:55 nvd
CRITICAL 9.3

DescriptionCVE.org

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.

AnalysisAI

Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrary code via insufficient access checks in the tracing/serviceability component. Publicly available exploit code exists for this medium-complexity network attack, which achieved a 92.14% EPSS score (100th percentile), indicating extremely high likelihood of exploitation. Oracle addressed this vulnerability in their June 2013 Critical Patch Update, though the exact nature of the serviceability component flaw was not fully disclosed by the vendor.

Technical ContextAI

This vulnerability affects the Serviceability component within the Java Runtime Environment (JRE), specifically Oracle Java SE 7 Update 21 and earlier, as well as OpenJDK 7 implementations. The Serviceability component provides diagnostic and monitoring capabilities for Java applications, including tracing, profiling, and management interfaces. Third-party analysis suggests the root cause involves insufficient access checks in the tracing subsystem, allowing malicious code to bypass the Java Security Manager sandbox restrictions. The Java sandbox is designed to restrict untrusted code (such as applets or web-delivered Java applications) from accessing system resources, but this flaw permitted escape from those restrictions. The OpenJDK commit (160cde99bb1a) in the references provides the upstream fix implementation details. Without a specific CWE classification, the vulnerability class appears related to improper access control or privilege management within the JVM's internal diagnostic facilities.

RemediationAI

Upgrade Oracle JRE to version 7 Update 25 or later, released in Oracle's June 2013 Critical Patch Update (CPU) available at http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html. For OpenJDK 7 users, apply the upstream fix from commit 160cde99bb1a available at http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a or update to distribution-provided patched packages per vendor advisories (Red Hat RHSA-2013-0963 for immediate remediation). As compensating controls if immediate patching is not feasible: disable Java browser plugins entirely via browser settings or the Java Control Panel's 'Enable Java content in the browser' option, which eliminates the remote attack vector but prevents all browser-based Java applets from running; implement application whitelisting to restrict Java execution to only trusted, business-essential applications; or deploy Java with the 'deployment.security.level' set to 'VERY_HIGH' and maintain a strict whitelist of approved application URLs in the exception site list, though this provides limited protection against sophisticated exploits. Note that disabling browser plugins does not protect standalone Java applications from exploitation via malicious JAR files. Organizations should prioritize complete upgrade to supported Java versions (Java 8 or later as of 2024) rather than prolonged reliance on mitigations for this end-of-life Java 7 branch.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2013-2460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy