The Aqua Look and Feel for Java implementation in Java 1.5 on Mac OS X 10.5 allows remote attackers to execute arbitrary code via a call to the undocumented apple.laf.CColourUIResource constructor with a crafted value in the first argument, which is dereferenced as a pointer.

Threat-Mapped Scoring

Score: 1.8

Priority: P4 - Informational (Low)

• S9 – Sabotage of System/App

EPSS

Score: 0.03868
Percentile: 0.87745

CVSS Scoring

Mapped CWE(s)

• CWE-94 : Improper Control of Generation of Code ('Code Injection')

All CAPEC(s)

CAPEC(s) with Mapped TTPs

Mapped ATT&CK TTPs

• T1027.006 : HTML Smuggling
  Kill Chain: defense-evasion
• T1027.009 : Embedded Payloads
  Kill Chain: defense-evasion
• T1564.009 : Resource Forking
  Kill Chain: defense-evasion

Malware

APTs Threat Group Associations

Campaigns

Affected Products

• cpe:2.3:a:sun:jre:1.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update1:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update10:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update11:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update12:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update13:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update14:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update15:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update16:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update17:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update2:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update3:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update4:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update5:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update6:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update7:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update8:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0:update9:*:*:*:*:*:*
• cpe:2.3:a:sun:jre:1.5.0_11-b03:*:*:*:*:*:*:*

← Back to Home