CVE-2013-4578

jarsigner in OpenJDK and Oracle Java SE before 7u51 allows remote attackers to bypass a code-signing protection mechanism and inject unsigned bytecode into a signed JAR file by leveraging improper file validation.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name	Vendor	Start Version	End Version
Jdk	Oracle	1.7.0-update1 (including)	1.7.0-update1 (including)
Jdk	Oracle	1.7.0-update10 (including)	1.7.0-update10 (including)
Jdk	Oracle	1.7.0-update10_b31 (including)	1.7.0-update10_b31 (including)
Jdk	Oracle	1.7.0-update11 (including)	1.7.0-update11 (including)
Jdk	Oracle	1.7.0-update11_b32 (including)	1.7.0-update11_b32 (including)
Jdk	Oracle	1.7.0-update13 (including)	1.7.0-update13 (including)
Jdk	Oracle	1.7.0-update15 (including)	1.7.0-update15 (including)
Jdk	Oracle	1.7.0-update17 (including)	1.7.0-update17 (including)
Jdk	Oracle	1.7.0-update17_b31 (including)	1.7.0-update17_b31 (including)
Jdk	Oracle	1.7.0-update17_b32 (including)	1.7.0-update17_b32 (including)
Jdk	Oracle	1.7.0-update2 (including)	1.7.0-update2 (including)
Jdk	Oracle	1.7.0-update21 (including)	1.7.0-update21 (including)
Jdk	Oracle	1.7.0-update21_b31 (including)	1.7.0-update21_b31 (including)
Jdk	Oracle	1.7.0-update25 (including)	1.7.0-update25 (including)
Jdk	Oracle	1.7.0-update25_b33 (including)	1.7.0-update25_b33 (including)
Jdk	Oracle	1.7.0-update25_b34 (including)	1.7.0-update25_b34 (including)
Jdk	Oracle	1.7.0-update25_b35 (including)	1.7.0-update25_b35 (including)
Jdk	Oracle	1.7.0-update3 (including)	1.7.0-update3 (including)
Jdk	Oracle	1.7.0-update4 (including)	1.7.0-update4 (including)
Jdk	Oracle	1.7.0-update40 (including)	1.7.0-update40 (including)
Jdk	Oracle	1.7.0-update45 (including)	1.7.0-update45 (including)
Jdk	Oracle	1.7.0-update45_b31 (including)	1.7.0-update45_b31 (including)
Jdk	Oracle	1.7.0-update45_b32 (including)	1.7.0-update45_b32 (including)
Jdk	Oracle	1.7.0-update45_b33 (including)	1.7.0-update45_b33 (including)
Jdk	Oracle	1.7.0-update45_b34 (including)	1.7.0-update45_b34 (including)
Jdk	Oracle	1.7.0-update5 (including)	1.7.0-update5 (including)
Jdk	Oracle	1.7.0-update51 (including)	1.7.0-update51 (including)
Jdk	Oracle	1.7.0-update6 (including)	1.7.0-update6 (including)
Jdk	Oracle	1.7.0-update7 (including)	1.7.0-update7 (including)
Jdk	Oracle	1.7.0-update7_b32 (including)	1.7.0-update7_b32 (including)
Jdk	Oracle	1.7.0-update9 (including)	1.7.0-update9 (including)
Jdk	Oracle	1.7.0-update9_b31 (including)	1.7.0-update9_b31 (including)
Jdk	Oracle	1.7.0-update9_b32 (including)	1.7.0-update9_b32 (including)
Jre	Oracle	1.7.0-update1 (including)	1.7.0-update1 (including)
Jre	Oracle	1.7.0-update10 (including)	1.7.0-update10 (including)
Jre	Oracle	1.7.0-update10_b31 (including)	1.7.0-update10_b31 (including)
Jre	Oracle	1.7.0-update11 (including)	1.7.0-update11 (including)
Jre	Oracle	1.7.0-update11_b32 (including)	1.7.0-update11_b32 (including)
Jre	Oracle	1.7.0-update13 (including)	1.7.0-update13 (including)
Jre	Oracle	1.7.0-update15 (including)	1.7.0-update15 (including)
Jre	Oracle	1.7.0-update17 (including)	1.7.0-update17 (including)
Jre	Oracle	1.7.0-update17_b31 (including)	1.7.0-update17_b31 (including)
Jre	Oracle	1.7.0-update17_b32 (including)	1.7.0-update17_b32 (including)
Jre	Oracle	1.7.0-update2 (including)	1.7.0-update2 (including)
Jre	Oracle	1.7.0-update21 (including)	1.7.0-update21 (including)
Jre	Oracle	1.7.0-update21_b31 (including)	1.7.0-update21_b31 (including)
Jre	Oracle	1.7.0-update25 (including)	1.7.0-update25 (including)
Jre	Oracle	1.7.0-update25_b33 (including)	1.7.0-update25_b33 (including)
Jre	Oracle	1.7.0-update25_b34 (including)	1.7.0-update25_b34 (including)
Jre	Oracle	1.7.0-update25_b35 (including)	1.7.0-update25_b35 (including)
Jre	Oracle	1.7.0-update3 (including)	1.7.0-update3 (including)
Jre	Oracle	1.7.0-update4 (including)	1.7.0-update4 (including)
Jre	Oracle	1.7.0-update40 (including)	1.7.0-update40 (including)
Jre	Oracle	1.7.0-update45 (including)	1.7.0-update45 (including)
Jre	Oracle	1.7.0-update45_b31 (including)	1.7.0-update45_b31 (including)
Jre	Oracle	1.7.0-update45_b32 (including)	1.7.0-update45_b32 (including)
Jre	Oracle	1.7.0-update45_b33 (including)	1.7.0-update45_b33 (including)
Jre	Oracle	1.7.0-update45_b34 (including)	1.7.0-update45_b34 (including)
Jre	Oracle	1.7.0-update5 (including)	1.7.0-update5 (including)
Jre	Oracle	1.7.0-update51 (including)	1.7.0-update51 (including)
Jre	Oracle	1.7.0-update6 (including)	1.7.0-update6 (including)
Jre	Oracle	1.7.0-update7 (including)	1.7.0-update7 (including)
Jre	Oracle	1.7.0-update7_b32 (including)	1.7.0-update7_b32 (including)
Jre	Oracle	1.7.0-update9 (including)	1.7.0-update9 (including)
Jre	Oracle	1.7.0-update9_b31 (including)	1.7.0-update9_b31 (including)
Jre	Oracle	1.7.0-update9_b32 (including)	1.7.0-update9_b32 (including)

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-4578
CWE	https://cwe.mitre.org/data/definitions/74.html

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Weakness

Affected Software

Potential Mitigations

References

CVE-2013-4578

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References