9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.103 Low
EPSS
Percentile
95.0%
The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Update
17 does not properly use security model permissions when removing installer
extensions, which allows remote attackers to execute arbitrary code by
modifying a certain JNLP file to have a URL field that points to an
unintended trusted application, aka Bug Id 6872824.