Vulnerability Description
Directory traversal vulnerability in the PersistenceService in Sun Java Web Start in JDK and JRE 5.0 Update 11 and earlier, and Java Web Start in SDK and JRE 1.4.2_13 and earlier, for Windows allows remote attackers to perform unauthorized actions via an application that grants file overwrite privileges to itself. NOTE: this can be leveraged to execute arbitrary code by overwriting a .java.policy file.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Windows | All versions |
| Sun | Jdk | <= 1.5.0 |
| Sun | Jre | <= 1.4.2 |
| Sun | Sdk | <= 1.4.2_13 |
Related Weaknesses (CWE)
References
- http://docs.info.apple.com/article.html?artnum=307177
- http://lists.apple.com/archives/Security-announce/2007/Dec/msg00001.html
- http://osvdb.org/37755
- http://secunia.com/advisories/25823Vendor Advisory
- http://secunia.com/advisories/28115Vendor Advisory
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102957-1Patch
- http://www.securityfocus.com/archive/1/472673/100/0/threaded
- http://www.securityfocus.com/bid/24695
- http://www.securitytracker.com/id?1018328
- http://www.vupen.com/english/advisories/2007/2384Vendor Advisory
- http://www.vupen.com/english/advisories/2007/4224Vendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35169
- http://docs.info.apple.com/article.html?artnum=307177
- http://lists.apple.com/archives/Security-announce/2007/Dec/msg00001.html
- http://osvdb.org/37755
FAQ
What is CVE-2007-3504?
CVE-2007-3504 is a vulnerability with a CVSS score of 9.3 (HIGH). Directory traversal vulnerability in the PersistenceService in Sun Java Web Start in JDK and JRE 5.0 Update 11 and earlier, and Java Web Start in SDK and JRE 1.4.2_13 and earlier, for Windows allows r...
How severe is CVE-2007-3504?
CVE-2007-3504 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-3504?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Windows, Sun Jdk, Sun Jre, Sun Sdk.