CVE-2009-3866

The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Update 17 does not properly use security model permissions when removing installer extensions, which allows remote attackers to execute arbitrary code by modifying a certain JNLP file to have a URL field that points to an unintended trusted application, aka Bug Id 6872824.

Published: Nov 5, 2009
Updated: Apr 13, 2023
CVE: CVE-2009-3866
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
sun / jdk	1.6.0-update_4	1.6.0-update_4.x
sun / jre	1.6.0-update_3	1.6.0-update_3.x
sun / jre	1.6.0-update_5	1.6.0-update_5.x
sun / jdk	1.6.0-update_7	1.6.0-update_7.x
sun / jdk	1.6.0-update_13	1.6.0-update_13.x
sun / jre	1.6.0-update_13	1.6.0-update_13.x
sun / jdk	1.6.0-update_9	1.6.0-update_9.x
sun / jre	1.6.0-update_1	1.6.0-update_1.x
sun / jre	1.6.0-update_2	1.6.0-update_2.x
sun / jdk	1.6.0-update_3	1.6.0-update_3.x
sun / jre	1.6.0-update_16	1.6.0-update_16.x
sun / jdk	1.6.0-update_11	1.6.0-update_11.x
sun / jdk	1.6.0-update_10	1.6.0-update_10.x
sun / jre	1.6.0-update_15	1.6.0-update_15.x
sun / jre	1.6.0-update_6	1.6.0-update_6.x
sun / jdk	1.6.0-update_14	1.6.0-update_14.x
sun / jdk	1.6.0-update_5	1.6.0-update_5.x
sun / jdk	1.6.0-update_8	1.6.0-update_8.x
sun / jre	1.6.0-update_10	1.6.0-update_10.x
sun / jdk	1.6.0-update_16	1.6.0-update_16.x
sun / jre	1.6.0-update_8	1.6.0-update_8.x
sun / jre	1.6.0-update_7	1.6.0-update_7.x
sun / jre	1.6.0-update_14	1.6.0-update_14.x
sun / jdk	1.6.0-update_15	1.6.0-update_15.x
sun / jdk	1.6.0-update_12	1.6.0-update_12.x
sun / jre	1.6.0-update_4	1.6.0-update_4.x
sun / jdk	1.6.0-update_1	1.6.0-update_1.x
sun / jdk	1.6.0-update_6	1.6.0-update_6.x
sun / jre	1.6.0-update_9	1.6.0-update_9.x
sun / jre	1.6.0-update_12	1.6.0-update_12.x
sun / jre	1.6.0-update_11	1.6.0-update_11.x

Vulnerability Database

290,020

CVE-2009-3866