CVE-2009-3880

high

Description

The Abstract Window Toolkit (AWT) in Java Runtime Environment (JRE) in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, does not properly restrict the objects that may be sent to loggers, which allows attackers to obtain sensitive information via vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager, aka Bug Id 6664512.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7316

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10761

https://bugzilla.redhat.com/show_bug.cgi?id=530296

http://www.mandriva.com/security/advisories?name=MDVSA-2010:084

http://security.gentoo.org/glsa/glsa-200911-02.xml

http://secunia.com/advisories/37386

http://java.sun.com/javase/6/webnotes/6u17.html

http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

Details

Source: Mitre, NVD

Published: 2009-11-09

Updated: 2025-04-09

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.00617