Description
jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.
References (5)
Core 5
Core References
Patch, Third Party Advisory, VDB Entry vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2014:0414
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/02/08/6
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2015/02/09/9
Patch, Vendor Advisory x_refsource_confirm
http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d5f36e1c927e
Issue Tracking, Patch, Third Party Advisory, VDB Entry x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1031471
Scores
CVSS v3
5.3
EPSS
0.0243
EPSS Percentile
82.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-74
Status
published
Products (3)
oracle/jdk
1.7.0 update1 (33 CPE variants)
oracle/jdk
< 1.7.0
oracle/jre
1.7.0 update1 (16 CPE variants)
Published
Dec 29, 2017
Tracked Since
Feb 18, 2026