Cyber Resilience

CVE-2013-2423

LowCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 April 2013

Published
17 April 2013
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.9340 99.8th percentile
Risk Priority 83 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-2423 is a low-severity Improper Access Control (CWE-284) vulnerability in Oracle Jre. Its CVSS base score is 3.7 (Low).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2013-2423 is an unspecified issue in the Java Runtime Environment (JRE) component of Oracle Java SE 7 Update 17 and earlier, as well as OpenJDK 7, related to the HotSpot virtual machine. It is tracked under weaknesses involving improper access control and carries a CVSS score of 3.7, reflecting network attack vectors with high complexity that impact integrity without affecting confidentiality or availability.

Remote attackers without authentication can exploit the flaw to bypass permission checks performed by the MethodHandles API. Successful exploitation permits modification of arbitrary public final fields through a combination of reflection and type confusion, with public demonstrations showing the ability to alter integer and double fields in order to disable the security manager.

Patches addressing the issue are described in multiple advisories and source updates, including IcedTea 2.3.9 for OpenJDK 7, OpenJDK changeset b453d9be6b3f, Red Hat RHSA-2013-0752, and corresponding openSUSE updates that apply fixes to the affected HotSpot code paths.

EU & UK References

Vulnerability details

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via unknown vectors related to HotSpot. NOTE: the previous information is from the…

more

April 2013 CPU. Oracle has not commented on claims from the original researcher that this vulnerability allows remote attackers to bypass permission checks by the MethodHandles method and modify arbitrary public final fields using reflection and type confusion, as demonstrated using integer and double fields to disable the security manager.

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
jre
1.7.0
canonical
ubuntu linux
12.10
opensuse
opensuse
12.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access and permission checks that the CVE bypasses via MethodHandles reflection and type confusion.

prevent

Requires timely application of vendor patches (IcedTea, OpenJDK changeset, RHSA-2013-0752) that close the HotSpot flaw.

prevent

Limits privileges granted to Java code so that even a successful bypass cannot arbitrarily modify final fields or disable the security manager.

References