CVE-2009-2475

Advisory lineage Upstream: 0 Downstream: 4

Downstream

RHSA-2009:1199 RHSA-2009:1200 RHSA-2009:1201 RHSA-2009:1662

Modified

Published: 10 Aug 2009, 18:00

Last modified:07 Aug 2024, 05:52

Vulnerability Summary

Overall Risk (default)

medium

31/100

CVSS Score

7.8 HIGH

v2.0 (nvd)

EPSS Score

0.7% LOW

1% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

10 Aug 2009, 18:00

Published

Vulnerability first disclosed

07 Aug 2024, 05:52

Last Modified

Vulnerability information updated

Description

Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, might allow context-dependent attackers to obtain sensitive information via vectors involving static variables that are declared without the final keyword, related to (1) LayoutQueue, (2) Cursor.predefined, (3) AccessibleResourceBundle.getContents, (4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5) ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7) DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types, (9) AbstractSaslImpl.logger, (10) Synth.Region.uiToRegionMap/lowerCaseNameMap, (11) the Introspector class and a cache of BeanInfo, and (12) JAX-WS, a different vulnerability than CVE-2009-2673.

CVSS Metrics

v2.0•HIGH•Score: 7.8AV:N/AC:L/Au:N/C:C/I:N/A:N

EPSS Trends

Current EPSS score: 0.70%• Percentile: 72%

Techniques & Countermeasures

CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

sun•java_se
≤ 5.0 | ≤ 6