2017-12-29 23:29:00 2018-01-17 18:59:30

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE
Oracle JDK 1.7.0 Oracle JDK 1.7.0 update1 Oracle JDK 1.7.0 Update 10 Oracle Jdk 1.7.0 Update10 b31 (not an official CPE) Oracle JDK 1.7.0 Update 11 Oracle Jdk 1.7.0 Update11 b32 (not an official CPE) Oracle JDK 1.7.0 Update 13 Oracle JDK 1.7.0 Update 15 Oracle JDK 1.7.0 Update 17 Oracle Jdk 1.7.0 Update17 b31 (not an official CPE) Oracle Jdk 1.7.0 Update17 b32 (not an official CPE) Oracle JDK 1.7.0 update2 Oracle JDK 1.7.0 Update 21 Oracle Jdk 1.7.0 Update21 b31 (not an official CPE) Oracle JDK 1.7.0 Update 25 Oracle Jdk 1.7.0 Update25 b33 (not an official CPE) Oracle Jdk 1.7.0 Update25 b34 (not an official CPE) Oracle Jdk 1.7.0 Update25 b35 (not an official CPE) Oracle JDK 1.7.0 update3 Oracle JDK 1.7.0 Update 4 Oracle Jdk 1.7.0 Update40 (not an official CPE) Oracle Jdk 1.7.0 Update45 (not an official CPE) Oracle Jdk 1.7.0 Update45 b31 (not an official CPE) Oracle Jdk 1.7.0 Update45 b32 (not an official CPE) Oracle Jdk 1.7.0 Update45 b33 (not an official CPE) Oracle Jdk 1.7.0 Update45 b34 (not an official CPE) Oracle JDK 1.7.0 Update 5 Oracle Jdk 1.7.0 Update51 (not an official CPE) Oracle JDK 1.7.0 Update 6 Oracle JDK 1.7.0 Update 7 Oracle Jdk 1.7.0 Update7 b32 (not an official CPE) Oracle JDK 1.7.0 Update 9 Oracle Jdk 1.7.0 Update9 b31 (not an official CPE) Oracle Jdk 1.7.0 Update9 b32 (not an official CPE) Oracle JRE 1.7.0 Oracle JRE 1.7.0 update1 Oracle JRE 1.7.0 Update 10 Oracle Jre 1.7.0 Update10 b31 (not an official CPE) Oracle JRE 1.7.0 Update 11 Oracle Jre 1.7.0 Update11 b32 (not an official CPE) Oracle JRE 1.7.0 Update 13 Oracle JRE 1.7.0 Update 15 Oracle JRE 1.7.0 Update 17 Oracle Jre 1.7.0 Update17 b31 (not an official CPE) Oracle Jre 1.7.0 Update17 b32 (not an official CPE) Oracle JRE 1.7.0 update2 Oracle JRE 1.7.0 Update 21 Oracle Jre 1.7.0 Update21 b31 (not an official CPE) Oracle JRE 1.7.0 Update 25 Oracle Jre 1.7.0 Update25 b33 (not an official CPE) Oracle Jre 1.7.0 Update25 b34 (not an official CPE) Oracle Jre 1.7.0 Update25 b35 (not an official CPE) Oracle JRE 1.7.0 update3 Oracle JRE 1.7.0 Update 4 Oracle Jre 1.7.0 Update40 (not an official CPE) Oracle Jre 1.7.0 Update45 (not an official CPE) Oracle Jre 1.7.0 Update45 b31 (not an official CPE) Oracle Jre 1.7.0 Update45 b32 (not an official CPE) Oracle Jre 1.7.0 Update45 b33 (not an official CPE) Oracle Jre 1.7.0 Update45 b34 (not an official CPE) Oracle JRE 1.7.0 Update 5 Oracle Jre 1.7.0 Update51 (not an official CPE) Oracle JRE 1.7.0 Update 6 Oracle JRE 1.7.0 Update 7 Oracle Jre 1.7.0 Update7 b32 (not an official CPE) Oracle JRE 1.7.0 Update 9 Oracle Jre 1.7.0 Update9 b31 (not an official CPE) Oracle Jre 1.7.0 Update9 b32 (not an official CPE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (ID 74)

Related CAPEC 38 Buffer Overflow via Environment Variables (CAPEC-ID 10) Server Side Include (SSI) Injection (CAPEC-ID 101) Cross Site Scripting through Log Files (CAPEC-ID 106) Command Line Execution through SQL Injection (CAPEC-ID 108) Subverting Environment Variable Values (CAPEC-ID 13) Format String Injection (CAPEC-ID 135) Client-side Injection-induced Buffer Overflow (CAPEC-ID 14) Filter Failure through Buffer Overflow (CAPEC-ID 24) XML Injection (CAPEC-ID 250) Leverage Alternate Encoding (CAPEC-ID 267) HTTP Response Smuggling (CAPEC-ID 273) Fuzzing (CAPEC-ID 28) Using Leading 'Ghost' Character Sequences to Bypass Input Filters (CAPEC-ID 3) HTTP Response Splitting (CAPEC-ID 34) Manipulating Writeable Terminal Devices (CAPEC-ID 40) MIME Conversion (CAPEC-ID 42) Exploiting Multiple Input Interpretation Layers (CAPEC-ID 43) Buffer Overflow via Symbolic Links (CAPEC-ID 45) Overflow Variables and Tags (CAPEC-ID 46) Buffer Overflow via Parameter Expansion (CAPEC-ID 47) Poison Web Service Registry (CAPEC-ID 51) Embedding NULL Bytes (CAPEC-ID 52) Postfix, Null Terminate, and Backslash (CAPEC-ID 53) Using Slashes and URL Encoding Combined to Bypass Validation Logic (CAPEC-ID 64) SQL Injection (CAPEC-ID 66) String Format Overflow in syslog() (CAPEC-ID 67) Blind SQL Injection (CAPEC-ID 7) Using Unicode Encoding to Bypass Validation Logic (CAPEC-ID 71) URL Encoding (CAPEC-ID 72) Manipulating Input to File System Calls (CAPEC-ID 76) Using Escaped Slashes in Alternate Encoding (CAPEC-ID 78) Using Slashes in Alternate Encoding (CAPEC-ID 79) Buffer Overflow in an API Call (CAPEC-ID 8) Using UTF-8 Encoding to Bypass Validation Logic (CAPEC-ID 80) XPath Injection (CAPEC-ID 83) XQuery Injection (CAPEC-ID 84) Buffer Overflow in Local Command-Line Utilities (CAPEC-ID 9) XSS in IMG Tags (CAPEC-ID 91)