Description
The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to browser cookies by untrusted (1) applets and (2) Java Web Start applications, which allows remote attackers to hijack web sessions via unspecified vectors.
References (31)
Core 31
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://rhn.redhat.com/errata/RHSA-2009-1200.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://rhn.redhat.com/errata/RHSA-2009-1199.html
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2543
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37460
Third Party Advisory vendor-advisory
x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200911-02.xml
Vendor Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
Mailing List vendor-advisory
x_refsource_hp
http://marc.info/?l=bugtraq&m=125787273209737&w=2
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36199
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36248
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7723
Various Sources x_refsource_confirm
http://java.sun.com/javase/6/webnotes/6u15.html
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507985/100/0/threaded
US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/35943
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9359
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36180
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/52337
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
Patch, Vendor Advisory x_refsource_confirm
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
Patch, Vendor Advisory vendor-advisory
x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263409-1
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36176
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1022659
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37300
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://rhn.redhat.com/errata/RHSA-2009-1201.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-08/msg00003.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37386
Various Sources x_refsource_confirm
http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_20
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3316
Scores
EPSS
0.1752
EPSS Percentile
95.2%
Details
CWE
CWE-264
Status
published
Products (5)
sun/jdk
5.0 update_1 (17 CPE variants)
sun/jdk
6 update_1 (12 CPE variants)
sun/jdk
< 6
sun/jre
5.0 update_1 (18 CPE variants)
sun/jre
6 update_1 (2 CPE variants)
Published
Aug 05, 2009
Tracked Since
Feb 18, 2026