Vulnerabilities > CVE-2005-1973 - Privilege Escalation vulnerability in Sun Java Web Start
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Java Web Start in Java 2 Platform Standard Edition (J2SE) 5.0 and 5.0 Update 1 allows applications to assign permissions to themselves and gain privileges.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Nessus
NASL family Misc. NASL id JAVA_JRE_PLUGIN_SECURITY_BYPASS2_UNIX.NASL description The remote host is using an unmanaged version of Sun Java Runtime Environment that has vulnerabilities in its Java Runtime Plug-in, a web browser add-on used to display Java applets. The JRE Plug-in security can be bypassed by tricking a user into viewing a maliciously crafted web page. Additionally, a denial of service vulnerability is present in this version of the JVM. This issue is triggered by viewing an applet that misuses the serialization API. last seen 2020-06-01 modified 2020-06-02 plugin id 64836 published 2013-02-22 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64836 title Sun Java JRE / Web Start Java Plug-in Untrusted Applet Privilege Escalation (Unix) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(64836); script_version("1.6"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2005-1973", "CVE-2005-1974"); script_bugtraq_id(13945, 13958); script_xref(name:"Secunia", value:"15671"); script_name(english:"Sun Java JRE / Web Start Java Plug-in Untrusted Applet Privilege Escalation (Unix)"); script_summary(english:"Determines the version of Java JRE plugin"); script_set_attribute(attribute:"synopsis", value: "The remote Unix host contains a runtime environment that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is using an unmanaged version of Sun Java Runtime Environment that has vulnerabilities in its Java Runtime Plug-in, a web browser add-on used to display Java applets. The JRE Plug-in security can be bypassed by tricking a user into viewing a maliciously crafted web page. Additionally, a denial of service vulnerability is present in this version of the JVM. This issue is triggered by viewing an applet that misuses the serialization API."); # http://web.archive.org/web/20080509045533/http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0103e844"); script_set_attribute(attribute:"solution", value: "Upgrade to JRE 1.4.2_08 / 1.5.0 update 2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2005-1974"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("sun_java_jre_installed_unix.nasl"); script_require_keys("Host/Java/JRE/Installed"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Check each installed JRE. installs = get_kb_list_or_exit("Host/Java/JRE/Unmanaged/*"); info = ""; vuln = 0; vuln2 = 0; installed_versions = ""; granular = ""; foreach install (list_uniq(keys(installs))) { ver = install - "Host/Java/JRE/Unmanaged/"; if (ver !~ "^[0-9.]+") continue; installed_versions = installed_versions + " & " + ver; if ( ver =~ "^1\.4\.([01]_|2_0*[0-7][^0-9])" || ver =~ "^1\.5\.0_0*[01][^0-9]" ) { dirs = make_list(get_kb_list(install)); vuln += max_index(dirs); foreach dir (dirs) info += '\n Path : ' + dir; info += '\n Installed version : ' + ver; info += '\n Fixed version : 1.4.2_08 / 1.5.0_02\n'; } else if (ver =~ "^[\d\.]+$") { dirs = make_list(get_kb_list(install)); foreach dir (dirs) granular += "The Oracle Java version "+ver+" at "+dir+" is not granular enough to make a determination."+'\n'; } else { dirs = make_list(get_kb_list(install)); vuln2 += max_index(dirs); } } # Report if any were found to be vulnerable. if (info) { if (report_verbosity) { if (vuln > 1) s = "s of Sun's JRE are"; else s = " of Sun's JRE is"; report = string( "\n", "The following vulnerable instance", s, " installed on the\n", "remote host :\n", info ); security_warning(port:0, extra:report); } else security_warning(0); if (granular) exit(0, granular); } else { if (granular) exit(0, granular); installed_versions = substr(installed_versions, 3); if (vuln2 > 1) exit(0, "The Java "+installed_versions+" installs on the remote host are not affected."); else exit(0, "The Java "+installed_versions+" install on the remote host is not affected."); }NASL family Windows NASL id JAVA_JRE_PLUGIN_SECURITY_BYPASS2.NASL description The remote host is using a vulnerable version of Sun Java Runtime Plug-in, an web browser addon used to display Java applets. It has been reported that the JRE Plug-in Security can be bypassed. A remote attacker could exploit this by tricking a user into viewing a maliciously crafted web page. Additionally, a denial of service vulnerability is present in this version of the JVM. This issue is triggered by viewing an applet that misuses the serialization API. last seen 2020-06-01 modified 2020-06-02 plugin id 18480 published 2005-06-14 reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18480 title Sun Java JRE / Web Start Java Plug-in Untrusted Applet Privilege Escalation code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(18480); script_version("1.26"); script_cvs_date("Date: 2018/08/22 16:49:14"); script_cve_id("CVE-2005-1973", "CVE-2005-1974"); script_bugtraq_id(13958, 13945); script_xref(name:"Secunia", value:"15671"); script_name(english:"Sun Java JRE / Web Start Java Plug-in Untrusted Applet Privilege Escalation"); script_summary(english:"Determines the version of Java JRE plugin"); script_set_attribute( attribute:"synopsis", value: "The remote Windows host contains a runtime environment that is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is using a vulnerable version of Sun Java Runtime Plug-in, an web browser addon used to display Java applets. It has been reported that the JRE Plug-in Security can be bypassed. A remote attacker could exploit this by tricking a user into viewing a maliciously crafted web page. Additionally, a denial of service vulnerability is present in this version of the JVM. This issue is triggered by viewing an applet that misuses the serialization API." ); # http://web.archive.org/web/20080509045533/http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?0103e844" ); script_set_attribute( attribute:"solution", value:"Upgrade to JRE 1.4.2_08 / 1.5.0 update 2 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/14"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/06/13"); script_set_attribute(attribute:"patch_publication_date", value: "2005/06/13"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("sun_java_jre_installed.nasl"); script_require_keys("SMB/Java/JRE/Installed"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Check each installed JRE. installs = get_kb_list("SMB/Java/JRE/*"); if (isnull(installs)) exit(0); info = ""; vuln = 0; foreach install (list_uniq(keys(installs))) { ver = install - "SMB/Java/JRE/"; if ( ver =~ "^1\.4\.([01]_|2_0*[0-7][^0-9])" || ver =~ "^1\.5\.0_0*[01][^0-9]" ) { dirs = make_list(get_kb_list(install)); vuln += max_index(dirs); foreach dir (dirs) info += '\n Path : ' + dir; info += '\n Installed version : ' + ver; info += '\n Fixed version : 1.4.2_08 / 1.5.0_02\n'; } } # Report if any were found to be vulnerable. if (info) { if (report_verbosity) { if (vuln > 1) s = "s of Sun's JRE are"; else s = " of Sun's JRE is"; report = string( "\n", "The following vulnerable instance", s, " installed on the\n", "remote host :\n", info ); security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); }