CVE-2009-3728medium
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
Directory traversal vulnerability in the ICC_Profile.getInstance method in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local International Color Consortium (ICC) profile files via a .. (dot dot) in a pathname, aka Bug Id 6631533.
References
http://java.sun.com/j2se/1.5.0/ReleaseNotes.html
http://java.sun.com/javase/6/webnotes/6u17.html
http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html
http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html
http://secunia.com/advisories/37386
http://secunia.com/advisories/37581
http://security.gentoo.org/glsa/glsa-200911-02.xml
http://support.apple.com/kb/HT3969
http://support.apple.com/kb/HT3970
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084
https://bugzilla.redhat.com/show_bug.cgi?id=530098
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10520
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6657
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:sun:jre:1.5.0:update1:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update10:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update11:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update12:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update13:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update14:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update15:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update16:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update17:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update18:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update19:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update2:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update20:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update21:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update3:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update4:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update5:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update6:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update7:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update8:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.5.0:update9:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update10:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update11:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update12:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update13:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update14:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update15:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update16:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update4:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update5:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update6:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update7:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update8:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update9:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 89736 | VMware ESX Java Runtime Environment (JRE) Multiple Vulnerabilities (VMSA-2010-0002) (remote check) | Nessus | VMware ESX Local Security Checks | critical |
| 67960 | Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2009-1584) | Nessus | Oracle Linux Local Security Checks | critical |
| 67075 | CentOS 5 : java-1.6.0-openjdk (CESA-2009:1584) | Nessus | CentOS Local Security Checks | critical |
| 64831 | Sun Java JRE Multiple Vulnerabilities (269868 / 269869 / 270476 ...) (Unix) | Nessus | Misc. | high |
| 60691 | Scientific Linux Security Update : java (jdk 1.6.0) on SL4.x, SL5.x i386/x86_64 | Nessus | Scientific Linux Local Security Checks | high |
| 53539 | RHEL 4 : Sun Java Runtime in Satellite Server (RHSA-2009:1662) | Nessus | Red Hat Local Security Checks | critical |
| 46176 | Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2010:084) | Nessus | Mandriva Local Security Checks | high |
| 45386 | VMSA-2010-0002 : VMware vCenter update release addresses multiple security issues in Java JRE | Nessus | VMware ESX Local Security Checks | critical |
| 43003 | Mac OS X : Java for Mac OS X 10.6 Update 1 | Nessus | MacOS X Local Security Checks | high |
| 43002 | Mac OS X : Java for Mac OS X 10.5 Update 6 | Nessus | MacOS X Local Security Checks | high |
| 42926 | openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-1613) | Nessus | SuSE Local Security Checks | high |
| 42923 | openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-1613) | Nessus | SuSE Local Security Checks | high |
| 42921 | openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-1613) | Nessus | SuSE Local Security Checks | high |
| 42834 | GLSA-200911-02 : Sun JDK/JRE: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | critical |
| 42828 | RHEL 5 : java-1.6.0-openjdk (RHSA-2009:1584) | Nessus | Red Hat Local Security Checks | critical |
| 42817 | Ubuntu 8.10 / 9.04 / 9.10 : openjdk-6 vulnerabilities (USN-859-1) | Nessus | Ubuntu Local Security Checks | critical |
| 42806 | Fedora 10 : java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 (2009-11490) | Nessus | Fedora Local Security Checks | high |
| 42805 | Fedora 12 : java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 (2009-11489) | Nessus | Fedora Local Security Checks | high |
| 42802 | Fedora 11 : java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 (2009-11486) | Nessus | Fedora Local Security Checks | high |
| 42455 | RHEL 4 / 5 : java-1.5.0-sun (RHSA-2009:1571) | Nessus | Red Hat Local Security Checks | critical |
| 42431 | RHEL 4 / 5 : java-1.6.0-sun (RHSA-2009:1560) | Nessus | Red Hat Local Security Checks | critical |
| 42373 | Sun Java JRE Multiple Vulnerabilities (269868 / 269869 / 270476 ..) | Nessus | Windows | high |