CVE-2009-3866 : The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Update 17 do

The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Update 17 does not properly use security model permissions when removing installer extensions, which allows remote attackers to execute arbitrary code by modifying a certain JNLP file to have a URL field that points to an unintended trusted application, aka Bug Id 6872824.

Published 2009-11-05 16:30:00

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2009-3866

SUN » JDK » Version: 1.6.0 Update Update 4
cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 3
cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 7
cpe:2.3:a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 10
cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 5
cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 6
cpe:2.3:a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 11
cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 12
cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 13
cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 1
cpe:2.3:a:sun:jdk:1.6.0:update_1:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 9
cpe:2.3:a:sun:jdk:1.6.0:update_9:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 8
cpe:2.3:a:sun:jdk:1.6.0:update_8:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 16
cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 14
cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*
Matching versions
SUN » JDK » Version: 1.6.0 Update Update 15
cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 1
cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 2
cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 4
cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 3
cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 10
cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 5
cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 6
cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 7
cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 9
cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 11
cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 12
cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 13
cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 8
cpe:2.3:a:sun:jre:1.6.0:update_8:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 15
cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 14
cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*
Matching versions
SUN » JRE » Version: 1.6.0 Update Update 16
cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2009-3866

Top countries where our scanners detected CVE-2009-3866

Top open port discovered on systems with this issue 80

IPs affected by CVE-2009-3866 719

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2009-3866!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2009-3866

EPSS FAQ

5.66%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 89 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2009-3866

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2009-3866

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-3866

http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00010.html

CVEs referencing this url
http://secunia.com/advisories/37386

About Secunia Research | Flexera

CVEs referencing this url
http://secunia.com/advisories/37239

CVEs referencing this url
http://secunia.com/advisories/37841

About Secunia Research | Flexera

CVEs referencing this url
http://support.apple.com/kb/HT3969

CVEs referencing this url
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1

Patch;Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2009-1694.html

Support

CVEs referencing this url
http://support.apple.com/kb/HT3970

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6635
http://secunia.com/advisories/37581

CVEs referencing this url
http://www.vupen.com/english/advisories/2009/3131

Patch;Vendor Advisory

CVEs referencing this url
http://secunia.com/advisories/37231

Vendor Advisory

CVEs referencing this url
http://java.sun.com/javase/6/webnotes/6u17.html

Java SE 6 Update 17 Release Notes
Vendor Advisory

CVEs referencing this url
http://security.gentoo.org/glsa/glsa-200911-02.xml

Sun JDK/JRE: Multiple vulnerabilities (GLSA 200911-02) — Gentoo security

CVEs referencing this url
http://zerodayinitiative.com/advisories/ZDI-09-077/

Patch
http://marc.info/?l=bugtraq&m=134254866602253&w=2

'[security bulletin] HPSBMU02799 SSRT100867 rev.1 - HP Network Node Manager i (NNMi) v9.0x Running JD' - MARC

CVEs referencing this url
http://www.securityfocus.com/bid/36881

Sun Java SE November 2009 Multiple Security Vulnerabilities

CVEs referencing this url
http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html

CVEs referencing this url