CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

SUN : Security Vulnerabilities Published In 2008

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2008-5746 59 +Priv 2008-12-29 2009-01-06
6.9
Admin Local Medium Not required Complete Complete Complete
Sun SNMP Management Agent (SUNWmasf) 1.4u2 through 1.5.4 allows local users to overwrite arbitrary files and gain privileges via a symlink attack on temporary files.
2 CVE-2008-5699 264 +Priv +Info 2008-12-22 2009-01-06
4.6
User Local Low Not required Partial Partial Partial
The name service cache daemon (nscd) in Sun Solaris 10 and OpenSolaris snv_50 through snv_104 does not properly check permissions, which allows local users to gain privileges and obtain sensitive information via unspecified vectors.
3 CVE-2008-5690 255 DoS 2008-12-19 2010-07-20
2.1
None Local Low Not required None None Partial
The Kerberos credential renewal feature in Sun Solaris 8, 9, and 10, and OpenSolaris build snv_01 through snv_104, allows local users to cause a denial of service (authentication failure) via unspecified vectors related to incorrect cache file permissions, and lack of credential storage by the store_cred function in pam_krb5.
4 CVE-2008-5689 399 1 DoS Exec Code 2008-12-19 2011-02-02
7.2
None Local Low Not required Complete Complete Complete
tun in IP Tunnel in Solaris 10 and OpenSolaris snv_01 through snv_76 allows local users to cause a denial of service (panic) and possibly execute arbitrary code via a crafted SIOCGTUNPARAM IOCTL request, which triggers a NULL pointer dereference.
5 CVE-2008-5685 DoS 2008-12-19 2010-07-13
10.0
Admin Remote Low Not required Complete Complete Complete
Sun ScApp firmware 5.18.x, 5.19.x, and 5.20.0 through 5.20.10 on Sun Fire and Netra platforms allows remote attackers to access the System Controller (SC), the system console, and possibly the host OS, and cause a denial of service (shutdown or reboot), via spoofed IP packets.
6 CVE-2008-5684 399 DoS 2008-12-19 2010-04-24
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in the X Inter Client Exchange library (aka libICE) in Sun Solaris 8 through 10 and OpenSolaris before snv_85 allows context-dependent attackers to cause a denial of service (application crash), as demonstrated by a port scan that triggers a segmentation violation in the Gnome session manager (aka gnome-session).
7 CVE-2008-5662 119 Exec Code Overflow 2008-12-17 2010-05-29
9.3
Admin Remote Medium Not required Complete Complete Complete
Multiple buffer overflows in Sun Java Wireless Toolkit (WTK) for CLDC 2.5.2 and earlier allow downloaded programs to execute arbitrary code via unknown vectors.
8 CVE-2008-5661 399 DoS 2008-12-17 2008-12-18
5.4
None Remote High Not required None None Complete
The IPv4 Forwarding feature in Sun Solaris 10 and OpenSolaris snv_47 through snv_82, with certain patches installed, allows remote attackers to cause a denial of service (panic) via unknown vectors that trigger a NULL pointer dereference.
9 CVE-2008-5550 2008-12-12 2008-12-15
4.3
None Remote Medium Not required None Partial None
Open redirect vulnerability in console/faces/jsp/login/BeginLogin.jsp in Sun Java Web Console 3.0.2 through 3.0.5 and Solaris 10 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the redirect_url parameter.
10 CVE-2008-5549 264 2008-12-12 2009-08-20
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in the Sun Java Web Console components in Sun Java System Portal Server 7.1 and 7.2 allows remote attackers to access local files and read the product's configuration information via unknown vectors related to "access to secure files by ThemeServlet."
11 CVE-2008-5423 200 +Info 2008-12-11 2009-05-14
4.3
None Local Low Single system Partial Partial Partial
Sun Sun Ray Server Software 3.x and 4.0 and Sun Ray Windows Connector 1.1 and 2.0 expose the LDAP password during a configuration step, which allows local users to discover the Sun Ray administration password, and obtain admin access to the Data Store and Administration GUI, via unspecified vectors related to the utconfig component of the Server Software and the uttscadm component of the Windows Connector.
12 CVE-2008-5422 264 2008-12-11 2010-04-24
7.5
None Remote Low Not required Partial Partial Partial
Sun Sun Ray Server Software 3.1 through 4.0 does not properly restrict access, which allows remote attackers to discover the Sun Ray administration password, and obtain admin access to the Data Store and Administration GUI, via unspecified vectors.
13 CVE-2008-5410 310 DoS 2008-12-09 2009-03-04
7.8
None Remote Low Not required None None Complete
The PK11_SESSION cache in the OpenSSL PKCS#11 engine in Sun Solaris 10 does not maintain reference counts for operations with asymmetric keys, which allows context-dependent attackers to cause a denial of service (failed cryptographic operations) via unspecified vectors, related to the (1) RSA_sign and (2) RSA_verify functions.
14 CVE-2008-5360 2008-12-05 2010-08-21
6.4
None Remote Low Not required Partial Partial None
Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier creates temporary files with predictable file names, which allows attackers to write malicious JAR files via unknown vectors.
15 CVE-2008-5359 119 Exec Code Overflow 2008-12-05 2010-08-21
9.3
None Remote Medium Not required Complete Complete Complete
Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code, related to a ConvolveOp operation in the Java AWT library.
16 CVE-2008-5358 119 Exec Code Overflow Mem. Corr. 2008-12-05 2010-08-21
9.3
None Remote Medium Not required Complete Complete Complete
Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier might allow remote attackers to execute arbitrary code via a crafted GIF file that triggers memory corruption during display of the splash screen, possibly related to splashscreen.dll.
17 CVE-2008-5357 189 Exec Code Overflow 2008-12-05 2010-08-21
9.3
None Remote Medium Not required Complete Complete Complete
Integer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file, which triggers a heap-based buffer overflow.
18 CVE-2008-5356 119 Exec Code Overflow 2008-12-05 2010-08-21
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file.
19 CVE-2008-5355 287 Exec Code 2008-12-05 2010-08-21
10.0
None Remote Low Not required Complete Complete Complete
The "Java Update" feature for Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not verify the signature of the JRE that is downloaded, which allows remote attackers to execute arbitrary code via DNS man-in-the-middle attacks.
20 CVE-2008-5354 119 Exec Code Overflow 2008-12-05 2010-08-21
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows locally-launched and possibly remote untrusted Java applications to execute arbitrary code via a JAR file with a long Main-Class manifest entry.
21 CVE-2008-5353 2008-12-05 2010-08-21
10.0
None Remote Low Not required Complete Complete Complete
The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".
22 CVE-2008-5352 189 Overflow +Priv 2008-12-05 2010-08-21
9.3
Admin Remote Medium Not required Complete Complete Complete
Integer overflow in the JAR unpacking utility (unpack200) in the unpack library (unpack.dll) in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted applications and applets to gain privileges via a Pack200 compressed JAR file that triggers a heap-based buffer overflow.
23 CVE-2008-5351 264 Bypass 2008-12-05 2010-08-21
7.5
None Remote Low Not required Partial Partial Partial
Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier accepts UTF-8 encodings that are not the "shortest" form, which makes it easier for attackers to bypass protection mechanisms for other applications that rely on shortest-form UTF-8 encodings.
24 CVE-2008-5350 200 +Info 2008-12-05 2010-08-21
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applications and applets to list the contents of the operating user's directory via unknown vectors.
25 CVE-2008-5349 DoS 2008-12-05 2010-08-21
7.1
None Remote Medium Not required None None Complete
Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows remote attackers to cause a denial of service (CPU consumption) via a crafted RSA public key.
26 CVE-2008-5348 DoS 2008-12-05 2010-08-21
7.1
None Remote Medium Not required None None Complete
Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier, when using Kerberos authentication, allows remote attackers to cause a denial of service (OS resource consumption) via unknown vectors.
27 CVE-2008-5347 264 +Priv 2008-12-05 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier allow untrusted applets and applications to gain privileges via vectors related to access to inner classes in the (1) JAX-WS and (2) JAXB packages.
28 CVE-2008-5346 200 +Info 2008-12-05 2013-07-21
7.1
None Remote Medium Not required Complete None None
Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 or earlier allows untrusted applets and applications to read arbitrary memory via a crafted ZIP file.
29 CVE-2008-5345 2008-12-05 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Java Runtime Environment (JRE) with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier allows code that is loaded from a local filesystem to read arbitrary files and make unauthorized connections to localhost via unknown vectors.
30 CVE-2008-5344 2008-12-05 2010-08-21
7.5
User Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applets to read arbitrary files and make unauthorized network connections via unknown vectors related to applet classloading, aka 6716217.
31 CVE-2008-5343 2008-12-05 2010-08-21
9.0
None Remote Low Not required Complete Partial Partial
Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows remote attackers to make unauthorized network connections and hijack HTTP sessions via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR" and CR 6707535.
32 CVE-2008-5342 200 +Info 2008-12-05 2010-08-21
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in the BasicService for Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted downloaded applications to cause local files to be displayed in the browser of the user of the untrusted application via unknown vectors, aka 6767668.
33 CVE-2008-5341 200 +Info 2008-12-05 2010-08-21
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted JWS applications to obtain the pathname of the JWS cache and the application username via unknown vectors, aka CR 6727071.
34 CVE-2008-5340 264 +Priv 2008-12-05 2013-08-22
10.0
Admin Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted JWS applications to gain privileges to access local files or applications via unknown vectors, aka 6727081.
35 CVE-2008-5339 2008-12-05 2010-08-21
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted JWS applications to perform network connections to unauthorized hosts via unknown vectors, aka CR 6727079.
36 CVE-2008-5266 79 XSS 2008-11-28 2011-04-22
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in configuration/httpListenerEdit.jsf in the GlassFish 2 UR2 b04 webadmin interface in Sun Java System Application Server 9.1_01 build b09d-fcs and 9.1_02 build b04-fcs allows remote attackers to inject arbitrary web script or HTML via the name parameter, a different vector than CVE-2008-2751.
37 CVE-2008-5133 264 Bypass 2008-11-18 2012-10-30
5.8
None Remote Medium Not required None Partial Partial
ipnat in IP Filter in Sun Solaris 10 and OpenSolaris before snv_96, when running on a DNS server with Network Address Translation (NAT) configured, improperly changes the source port of a packet when the destination port is the DNS port, which allows remote attackers to bypass an intended CVE-2008-1447 protection mechanism and spoof the responses to DNS queries sent by named.
38 CVE-2008-5118 2008-11-17 2012-10-30
4.3
None Remote Medium Not required None Partial None
Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to inject frames from arbitrary web sites and conduct phishing attacks via unspecified vectors, related to "frame injection."
39 CVE-2008-5117 20 2008-11-17 2012-10-30
6.4
None Remote Low Not required None Partial Partial
Open redirect vulnerability in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
40 CVE-2008-5116 22 Dir. Trav. 2008-11-17 2009-08-13
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in idm/includes/helpServer.jsp in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to read arbitrary files in the filesystem of the IDM server via directory traversal sequences in the ext parameter.
41 CVE-2008-5115 352 CSRF 2008-11-17 2009-08-13
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allows remote attackers to hijack the authentication of administrators for requests that update the password via idm/admin/changeself.jsp.
42 CVE-2008-5114 79 XSS 2008-11-17 2012-10-30
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Identity Manager 6.0 through 6.0 SP4, 7.0, and 7.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
43 CVE-2008-5111 DoS 2008-11-17 2012-10-30
4.7
None Local Medium Not required None None Complete
Unspecified vulnerability in the socket function in Sun Solaris 10 and OpenSolaris snv_57 through snv_91, when InfiniBand hardware is not installed, allows local users to cause a denial of service (panic) via unknown vectors, related to the socksdpv_close function.
44 CVE-2008-5099 200 +Priv Bypass +Info 2008-11-17 2009-08-12
4.6
User Local Low Not required Partial Partial Partial
Sun Logical Domain Manager (aka LDoms Manager or ldm) 1.0 through 1.0.3 displays the value of the OpenBoot PROM (OBP) security-password variable in cleartext, which allows local users to bypass the SPARC firmware's password protection, and gain privileges or obtain data access, via the "ldm ls -l" command, a different vulnerability than CVE-2008-4992.
45 CVE-2008-5098 79 XSS 2008-11-17 2008-11-21
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Sun Java System Messaging Server 6.2 and 6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2007-2904.
46 CVE-2008-5010 DoS 2008-11-10 2009-03-13
10.0
Admin Remote Low Not required Complete Complete Complete
in.dhcpd in the DHCP implementation in Sun Solaris 8 through 10, and OpenSolaris before snv_103, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unknown DHCP requests related to the "number of offers," aka Bug ID 6713805.
47 CVE-2008-5009 362 DoS 2008-11-10 2008-11-15
4.0
None Local High Not required None None Complete
Race condition in the s_xout kernel module in Sun Solstice X.25 9.2, when running on a multiple CPU machine, allows local users to cause a denial of service (panic) via vectors involving reading the /dev/xty file.
48 CVE-2008-4992 264 2008-11-07 2009-01-06
4.6
None Local Low Single system Complete None None
The SPARC hypervisor in Sun System Firmware 6.6.3 through 6.6.5 and 7.1.3 through 7.1.3.e on UltraSPARC T1, T2, and T2+ processors allows logical domain users to access memory in other logical domains via unknown vectors.
49 CVE-2008-4910 20 2008-11-03 2009-01-29
10.0
Admin Remote Low Not required Complete Complete Complete
The BasicService in Sun Java Web Start allows remote attackers to execute arbitrary programs on a client machine via a file:// URL argument to the showDocument method.
50 CVE-2008-4747 200 +Info 2008-10-27 2008-11-15
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in the search feature in Sun Java System LDAP JDK before 4.20 allows context-dependent attackers to obtain sensitive information via unknown attack vectors related to the LDAP JDK library.
Total number of vulnerabilities : 157   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.