Java Web start vulnerability

2008.11.05

Credit: varun srivastav gmail com

Risk: High

Local: No

Remote: Yes

CVE: CVE-2008-4910

CWE: NVD-CWE-noinfo

CVSS Base Score: 10/10

Impact Subscore: 10/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

Hi,
There is vulnerability in Java Web Start. Already there is some vulnerability posted for persistenceservice service of java web start. But in Basicservice also we can run any file on the client using showDocument method. Just give the URL of file on client computer. If the browser has software attached to run that filetype it will be run automatically without user knowledge.
Regards
Varun Srivastava

References:

http://xforce.iss.net/xforce/xfdb/46119

http://www.securityfocus.com/bid/31916

http://www.securityfocus.com/archive/1/archive/1/497972/100/0/threaded

http://www.securityfocus.com/archive/1/archive/1/497799/100/0/threaded

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Java Web start vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.