Exploitation Summary
CVE-2013-2460 has been observed exploited in the wild (reported by VulnCheck KEV).
EIP tracks 2 public exploits from researchers including Metasploit, Adam Gowdiak, s advisory and also POC, including a Metasploit module exploits/multi/browser/java_jre17_provider_skeleton.
AI-analyzed exploit summary This Metasploit module exploits CVE-2013-2460 by abusing the insecure invoke() method of the ProviderSkeleton class in Java 7u21 and earlier, allowing arbitrary static method calls with user-supplied arguments. It delivers a malicious JAR file via an HTML page with an applet tag, achieving remote code execution.
Description
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "insufficient access checks" in the tracing component.
Exploits (2)
This Metasploit module exploits CVE-2013-2460 by abusing the insecure invoke() method of the ProviderSkeleton class in Java 7u21 and earlier, allowing arbitrary static method calls with user-supplied arguments. It delivers a malicious JAR file via an HTML page with an applet tag, achieving remote code execution.
This Metasploit module exploits CVE-2013-2460, targeting Java 7u21 and earlier by abusing the insecure invoke() method of the ProviderSkeleton class to achieve arbitrary static method execution. It delivers a malicious JAR file via an HTML page with an embedded applet.