Description

The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265.

References

http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

http://java.sun.com/javase/6/webnotes/6u17.html

http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html

http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html

http://secunia.com/advisories/37386

http://secunia.com/advisories/37581

http://security.gentoo.org/glsa/glsa-200911-02.xml

http://support.apple.com/kb/HT3969

http://support.apple.com/kb/HT3970

http://www.mandriva.com/security/advisories?name=MDVSA-2010:084

https://bugzilla.redhat.com/show_bug.cgi?id=530300

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11686

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6960

Details

Risk Information

CVSS v2