CVE-2011-3544

CRITICAL KEV

Java Applet Rhino Script Engine Remote Code Execution

Title source: metasploit

Description

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/18171

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Michael Schierl, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_rhino.rb

View Code ZIP pw:eip

References (16)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html

[Mailing List] http://marc.info/?l=bugtraq&m=132750579901589&w=2

[Mailing List] http://marc.info/?l=bugtraq&m=134254866602253&w=2

[Mailing List] http://marc.info/?l=bugtraq&m=134254957702612&w=2

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2013-1455.html

[Broken Link] http://secunia.com/advisories/48308

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-201406-32.xml

[Product] http://www.ibm.com/developerworks/java/jdk/alerts/

[Patch, Vendor Advisory] http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

[Broken Link] http://www.redhat.com/support/errata/RHSA-2011-1384.html

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/50218

[Broken Link, Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1026215

[Third Party Advisory] http://www.ubuntu.com/usn/USN-1263-1

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/70849

[Broken Link] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13947

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-3544

Scores

CVSS v3 9.8

EPSS 0.9254

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-03-03

VulnCheck KEV 2012-01-14

InTheWild.io 2022-03-03

ENISA EUVD EUVD-2011-3507

CWE

CWE-284

Status published

Products (8)

canonical/ubuntu_linux 10.04

canonical/ubuntu_linux 10.10

canonical/ubuntu_linux 11.04

canonical/ubuntu_linux 11.10

oracle/jdk 1.6.0 (20 CPE variants)

oracle/jdk 1.7.0 (19 CPE variants)

oracle/jdk < 1.6.0

oracle/jre 1.6.0 (6 CPE variants)

Published Oct 19, 2011

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026