CVE-2009-3884

high

Description

The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6960

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11686

https://bugzilla.redhat.com/show_bug.cgi?id=530300

http://www.mandriva.com/security/advisories?name=MDVSA-2010:084

http://support.apple.com/kb/HT3970

http://support.apple.com/kb/HT3969

http://security.gentoo.org/glsa/glsa-200911-02.xml

http://secunia.com/advisories/37581

http://secunia.com/advisories/37386

http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html

http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html

http://java.sun.com/javase/6/webnotes/6u17.html

http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

Details

Source: Mitre, NVD

Published: 2009-11-09

Updated: 2025-04-09

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.0137