CVE-2008-2086

NameCVE-2008-2086
DescriptionSun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allow remote attackers to execute arbitrary code via a crafted jnlp file that modifies the (1) java.home, (2) java.ext.dirs, or (3) user.home System Properties, aka "Java Web Start File Inclusion" and CR 6694892.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openjdk-6source(unstable)(not affected)
sun-java5source(unstable)(unfixed)high
sun-java6source(unstable)6-10-1high

Notes

- openjdk-6 <not-affected> (browser plugin is different code base)
[etch] - sun-java5 <no-dsa> (Non-free not supported)
[lenny] - sun-java5 <no-dsa> (Non-free not supported)
[lenny] - sun-java6 <no-dsa> (Non-free not supported)

Search for package or bug name: Reporting problems