Skip to main content

Oracle JRE CVE-2013-2460

CRITICAL
2013-06-18 secalert_us@oracle.com
Authentication Bypass Java Oracle
9.3
CVSS 2.0
Share

CVSS VectorNVD

AV:N/AC:M/Au:N/C:C/I:C/A:C
Attack Vector
Network
Attack Complexity
M
Confidentiality
C
Integrity
C
Availability
C

Lifecycle Timeline

5
Analysis Updated
Apr 29, 2026 - 01:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 29, 2026 - 01:42 vuln.today
cvss_changed
Analysis Generated
Mar 26, 2026 - 11:18 vuln.today
PoC Detected
Apr 11, 2025 - 00:51 vuln.today
Public exploit code
CVE Published
Jun 18, 2013 - 22:55 nvd
CRITICAL 9.3

DescriptionNVD

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.

AnalysisAI

Java Runtime Environment 7 Update 21 and earlier allows remote attackers to escape the Java sandbox and execute arbitrary code via insufficient access checks in the tracing/serviceability component. Publicly available exploit code exists for this medium-complexity network attack, which achieved a 92.14% EPSS score (100th percentile), indicating extremely high likelihood of exploitation. Oracle addressed this vulnerability in their June 2013 Critical Patch Update, though the exact nature of the serviceability component flaw was not fully disclosed by the vendor.

Technical ContextAI

This vulnerability affects the Serviceability component within the Java Runtime Environment (JRE), specifically Oracle Java SE 7 Update 21 and earlier, as well as OpenJDK 7 implementations. The Serviceability component provides diagnostic and monitoring capabilities for Java applications, including tracing, profiling, and management interfaces. Third-party analysis suggests the root cause involves insufficient access checks in the tracing subsystem, allowing malicious code to bypass the Java Security Manager sandbox restrictions. The Java sandbox is designed to restrict untrusted code (such as applets or web-delivered Java applications) from accessing system resources, but this flaw permitted escape from those restrictions. The OpenJDK commit (160cde99bb1a) in the references provides the upstream fix implementation details. Without a specific CWE classification, the vulnerability class appears related to improper access control or privilege management within the JVM's internal diagnostic facilities.

RemediationAI

Upgrade Oracle JRE to version 7 Update 25 or later, released in Oracle's June 2013 Critical Patch Update (CPU) available at http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html. For OpenJDK 7 users, apply the upstream fix from commit 160cde99bb1a available at http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/160cde99bb1a or update to distribution-provided patched packages per vendor advisories (Red Hat RHSA-2013-0963 for immediate remediation). As compensating controls if immediate patching is not feasible: disable Java browser plugins entirely via browser settings or the Java Control Panel's 'Enable Java content in the browser' option, which eliminates the remote attack vector but prevents all browser-based Java applets from running; implement application whitelisting to restrict Java execution to only trusted, business-essential applications; or deploy Java with the 'deployment.security.level' set to 'VERY_HIGH' and maintain a strict whitelist of approved application URLs in the exception site list, though this provides limited protection against sophisticated exploits. Note that disabling browser plugins does not protect standalone Java applications from exploitation via malicious JAR files. Organizations should prioritize complete upgrade to supported Java versions (Java 8 or later as of 2024) rather than prolonged reliance on mitigations for this end-of-life Java 7 branch.

More from same product – last 7 days

CVE-2026-46840 CRITICAL
10.0 May 28

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to c
CVE-2026-46775 CRITICAL
9.9 May 28

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote att
CVE-2026-46822 CRITICAL
9.9 May 28

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privil
CVE-2026-46824 CRITICAL
9.9 May 28

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Bus
CVE-2026-46839 CRITICAL
9.9 May 28

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-pr

Share

CVE-2013-2460 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy