Java Runtime Environment
CVE-2013-2465
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.
AnalysisAI
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthenticated attackers to execute arbitrary code and escape security restrictions. Affects Oracle JRE 5.0 through Update 45, 6 through Update 45, 7 through Update 21, and OpenJDK 7. Confirmed actively exploited (CISA KEV) with 93.22% EPSS probability and publicly available exploit code. Oracle released patches in June 2013 CPU addressing the vulnerability through image channel verification corrections.
Technical ContextAI
This vulnerability resides in the Java 2D graphics rendering component, which handles image processing, drawing, and rendering operations across the Java platform. The root cause (CWE-693) indicates a protection mechanism failure where the Java 2D component incorrectly verifies image channels during processing. The Java sandbox security model relies on multiple verification layers to isolate untrusted code execution; failures in component-level input validation can compromise the entire sandbox. The 2D component processes image data from multiple sources including network streams, making incorrect channel verification a critical trust boundary failure. CPE data confirms impact across three major JRE version families (5.0, 6, 7) and the open-source OpenJDK 7 implementation, indicating a deep architectural flaw rather than version-specific regression.
RemediationAI
Immediately upgrade Oracle JRE to version 7 Update 25, 6 Update 51, or 5.0 Update 51 released in Oracle's June 2013 Critical Patch Update. For OpenJDK 7 users, apply the upstream fix available at http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040 or update to distribution-provided patched packages per RHSA-2013-0963, RHSA-2013-1059, RHSA-2013-1060, and corresponding SUSE/openSUSE security advisories from July-August 2013. For environments unable to immediately patch, implement network-layer controls blocking untrusted Java applet execution via browser plugin disablement (set deployment.security.level=VERY_HIGH and disable plugin in browser preferences), though this mitigation is incomplete as local Java applications can still be exploited via malicious JAR files or network-delivered content. Web application firewalls can block known exploit payloads targeting 2D image processing, but signature-based detection is easily evaded. Given confirmed active exploitation and public exploit availability, temporary complete Java plugin disablement is recommended until patching is verified, accepting the operational impact of broken Java-dependent web applications.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today