CVE-2009-1190
Sun JDK < 1.6 - Denial of Service via Regex Compilation with Optional Groups
Title source: llmDescription
Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/502926/100/0/threaded
Exploit x_refsource_misc
http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/50083
Exploit x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=497161
Vendor Advisory x_refsource_confirm
http://www.springsource.com/securityadvisory
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/34892
Scores
EPSS
0.0138
EPSS Percentile
80.5%
Details
CWE
CWE-399
Status
published
Products (39)
org.springframework/spring-core
1.1.0 - 3.0.0.RELEASEMaven
sun/jdk
1.1.0
sun/jdk
1.1.6 (2 CPE variants)
sun/jdk
1.1.7b (2 CPE variants)
sun/jdk
1.1.8 update10 (6 CPE variants)
sun/jdk
1.2.0
sun/jdk
1.2.1 (2 CPE variants)
sun/jdk
1.2.2 update4 (2 CPE variants)
sun/jdk
1.3.0
sun/jdk
1.3.0_01
... and 29 more
Published
Apr 27, 2009
Tracked Since
Feb 18, 2026