NVD Vulnerability Detail

CVE-2009-3866

Summary	The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Update 17 does not properly use security model permissions when removing installer extensions, which allows remote attackers to execute arbitrary code by modifying a certain JNLP file to have a URL field that points to an unintended trusted application, aka Bug Id 6872824.
Summary	Java Web Start Installer en Sun Java SE en JDK y JRE 6 anteriores a Update 17 no usa adecuadamente los permisos del modelo de seguridad cuando borra las extensiones del instalador, lo que permite a los atacantes remotos ejecutar arbitrariamente código modificando ciertos archivos JNLP que tienen un campo URL que apunta a una aplicación no confiable, también conocido como Bug Id 6872824.
Publication Date	Nov. 6, 2009, 1:30 a.m.
Registration Date	Jan. 29, 2021, 1:25 p.m.
Last Update	April 23, 2026, 9:35 a.m.

CVSS2.0 : HIGH
Score	9.3
Vector	AV:N/AC:M/Au:N/C:C/I:C/A:C
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:sun:jdk:1.6.0:update_1::::::
cpe:2.3:a:sun:jdk:1.6.0:update_10::::::
cpe:2.3:a:sun:jdk:1.6.0:update_11::::::
cpe:2.3:a:sun:jdk:1.6.0:update_12::::::
cpe:2.3:a:sun:jdk:1.6.0:update_13::::::
cpe:2.3:a:sun:jdk:1.6.0:update_14::::::
cpe:2.3:a:sun:jdk:1.6.0:update_15::::::
cpe:2.3:a:sun:jdk:1.6.0:update_16::::::
cpe:2.3:a:sun:jdk:1.6.0:update_3::::::
cpe:2.3:a:sun:jdk:1.6.0:update_4::::::
cpe:2.3:a:sun:jdk:1.6.0:update_5::::::
cpe:2.3:a:sun:jdk:1.6.0:update_6::::::
cpe:2.3:a:sun:jdk:1.6.0:update_7::::::
cpe:2.3:a:sun:jdk:1.6.0:update_8::::::
cpe:2.3:a:sun:jdk:1.6.0:update_9::::::
cpe:2.3:a:sun:jre:1.6.0:update_1::::::
cpe:2.3:a:sun:jre:1.6.0:update_10::::::
cpe:2.3:a:sun:jre:1.6.0:update_11::::::
cpe:2.3:a:sun:jre:1.6.0:update_12::::::
cpe:2.3:a:sun:jre:1.6.0:update_13::::::
cpe:2.3:a:sun:jre:1.6.0:update_14::::::
cpe:2.3:a:sun:jre:1.6.0:update_15::::::
cpe:2.3:a:sun:jre:1.6.0:update_16::::::
cpe:2.3:a:sun:jre:1.6.0:update_2::::::
cpe:2.3:a:sun:jre:1.6.0:update_3::::::
cpe:2.3:a:sun:jre:1.6.0:update_4::::::
cpe:2.3:a:sun:jre:1.6.0:update_5::::::
cpe:2.3:a:sun:jre:1.6.0:update_6::::::
cpe:2.3:a:sun:jre:1.6.0:update_7::::::
cpe:2.3:a:sun:jre:1.6.0:update_8::::::
cpe:2.3:a:sun:jre:1.6.0:update_9::::::

Related information, measures and tools

No	URL	refsource
1	http://java.sun.com/javase/6/webnotes/6u17.html	cve@mitre.org
2	http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html	cve@mitre.org
3	http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html	cve@mitre.org
4	http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00010.html	cve@mitre.org
5	http://marc.info/?l=bugtraq&m=134254866602253&w=2	cve@mitre.org
6	http://secunia.com/advisories/37231	cve@mitre.org
7	http://secunia.com/advisories/37239	cve@mitre.org
8	http://secunia.com/advisories/37386	cve@mitre.org
9	http://secunia.com/advisories/37581	cve@mitre.org
10	http://secunia.com/advisories/37841	cve@mitre.org
11	http://security.gentoo.org/glsa/glsa-200911-02.xml	cve@mitre.org
12	http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1	cve@mitre.org
13	http://support.apple.com/kb/HT3969	cve@mitre.org
14	http://support.apple.com/kb/HT3970	cve@mitre.org
15	http://www.redhat.com/support/errata/RHSA-2009-1694.html	cve@mitre.org
16	http://www.securityfocus.com/bid/36881	cve@mitre.org
17	http://www.vupen.com/english/advisories/2009/3131	cve@mitre.org
18	http://zerodayinitiative.com/advisories/ZDI-09-077/	cve@mitre.org
19	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6635	cve@mitre.org
20	http://java.sun.com/javase/6/webnotes/6u17.html	af854a3a-2127-422b-91ae-364da2661108
21	http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html	af854a3a-2127-422b-91ae-364da2661108
22	http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html	af854a3a-2127-422b-91ae-364da2661108
23	http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00010.html	af854a3a-2127-422b-91ae-364da2661108
24	http://marc.info/?l=bugtraq&m=134254866602253&w=2	af854a3a-2127-422b-91ae-364da2661108
25	http://secunia.com/advisories/37231	af854a3a-2127-422b-91ae-364da2661108
26	http://secunia.com/advisories/37239	af854a3a-2127-422b-91ae-364da2661108
27	http://secunia.com/advisories/37386	af854a3a-2127-422b-91ae-364da2661108
28	http://secunia.com/advisories/37581	af854a3a-2127-422b-91ae-364da2661108
29	http://secunia.com/advisories/37841	af854a3a-2127-422b-91ae-364da2661108
30	http://security.gentoo.org/glsa/glsa-200911-02.xml	af854a3a-2127-422b-91ae-364da2661108
31	http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1	af854a3a-2127-422b-91ae-364da2661108
32	http://support.apple.com/kb/HT3969	af854a3a-2127-422b-91ae-364da2661108
33	http://support.apple.com/kb/HT3970	af854a3a-2127-422b-91ae-364da2661108
34	http://www.redhat.com/support/errata/RHSA-2009-1694.html	af854a3a-2127-422b-91ae-364da2661108
35	http://www.securityfocus.com/bid/36881	af854a3a-2127-422b-91ae-364da2661108
36	http://www.vupen.com/english/advisories/2009/3131	af854a3a-2127-422b-91ae-364da2661108
37	http://zerodayinitiative.com/advisories/ZDI-09-077/	af854a3a-2127-422b-91ae-364da2661108
38	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6635	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:sun:jdk:1.6.0:update_1::::::
cpe:2.3:a:sun:jdk:1.6.0:update_10::::::
cpe:2.3:a:sun:jdk:1.6.0:update_11::::::
cpe:2.3:a:sun:jdk:1.6.0:update_12::::::
cpe:2.3:a:sun:jdk:1.6.0:update_13::::::
cpe:2.3:a:sun:jdk:1.6.0:update_14::::::
cpe:2.3:a:sun:jdk:1.6.0:update_15::::::
cpe:2.3:a:sun:jdk:1.6.0:update_16::::::
cpe:2.3:a:sun:jdk:1.6.0:update_3::::::
cpe:2.3:a:sun:jdk:1.6.0:update_4::::::
cpe:2.3:a:sun:jdk:1.6.0:update_5::::::
cpe:2.3:a:sun:jdk:1.6.0:update_6::::::
cpe:2.3:a:sun:jdk:1.6.0:update_7::::::
cpe:2.3:a:sun:jdk:1.6.0:update_8::::::
cpe:2.3:a:sun:jdk:1.6.0:update_9::::::
cpe:2.3:a:sun:jre:1.6.0:update_1::::::
cpe:2.3:a:sun:jre:1.6.0:update_10::::::
cpe:2.3:a:sun:jre:1.6.0:update_11::::::
cpe:2.3:a:sun:jre:1.6.0:update_12::::::
cpe:2.3:a:sun:jre:1.6.0:update_13::::::
cpe:2.3:a:sun:jre:1.6.0:update_14::::::
cpe:2.3:a:sun:jre:1.6.0:update_15::::::
cpe:2.3:a:sun:jre:1.6.0:update_16::::::
cpe:2.3:a:sun:jre:1.6.0:update_2::::::
cpe:2.3:a:sun:jre:1.6.0:update_3::::::
cpe:2.3:a:sun:jre:1.6.0:update_4::::::
cpe:2.3:a:sun:jre:1.6.0:update_5::::::
cpe:2.3:a:sun:jre:1.6.0:update_6::::::
cpe:2.3:a:sun:jre:1.6.0:update_7::::::
cpe:2.3:a:sun:jre:1.6.0:update_8::::::
cpe:2.3:a:sun:jre:1.6.0:update_9::::::