CVE-2007-5237
Description
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read and modify local files via an untrusted application, aka "two vulnerabilities."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Java Web Start in Sun JDK/JRE 6 Update 2 and earlier does not properly enforce access restrictions, allowing untrusted applications to read and modify local files.
Vulnerability
Java Web Start in Sun JDK and JRE versions 6 Update 2 and earlier does not properly enforce access restrictions for untrusted applications. This allows an untrusted Java Web Start application to bypass the intended security sandbox and interact with the local file system [4]. The vulnerability affects all versions prior to the fix in Update 3 (1.6.0_03).
Exploitation
An attacker must convince a user to launch a malicious Java Web Start application, typically via a web page or email attachment. The attacker does not require any network position beyond the ability to host the application; no prior authentication is needed. The vulnerability can be exploited without user interaction beyond clicking to run the application [4].
Impact
Successful exploitation allows an untrusted application to read, modify, rename, and create local files with the privileges of the user running Java. This can lead to information disclosure, data tampering, or arbitrary code execution within the user's context [4].
Mitigation
Sun released updates to JDK/JRE 6 Update 3 (1.6.0_03) and later versions that fix these vulnerabilities. Gentoo Linux recommends upgrading to >=dev-java/sun-jre-bin-1.6.0.05 or >=dev-java/sun-jdk-1.6.0.05 [4]. VMware ESX and VirtualCenter also provided updates, as noted in advisory VMSA-2008-0010 [1]. No workaround is available other than applying the patch.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:sun:jre:*:update1:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:sun:jre:*:update1:*:*:*:*:*:*range: <=1.6.0
- cpe:2.3:a:sun:jre:*:update2:*:*:*:*:*:*range: <=1.6.0
- Range: <=1.6.0 Update 2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- sunsolve.sun.com/search/document.donvdPatch
- dev2dev.bea.com/pub/advisory/272nvd
- h20000.www2.hp.com/bizsupport/TechSupport/Document.jspnvd
- secunia.com/advisories/27261nvd
- secunia.com/advisories/27693nvd
- secunia.com/advisories/29042nvd
- secunia.com/advisories/29858nvd
- secunia.com/advisories/30676nvd
- secunia.com/advisories/30780nvd
- security.gentoo.org/glsa/glsa-200804-28.xmlnvd
- www.gentoo.org/security/en/glsa/glsa-200804-20.xmlnvd
- www.gentoo.org/security/en/glsa/glsa-200806-11.xmlnvd
- www.novell.com/linux/security/advisories/2007_55_java.htmlnvd
- www.securityfocus.com/bid/25920nvd
- www.securitytracker.com/idnvd
- www.vmware.com/security/advisories/VMSA-2008-0010.htmlnvd
- www.vupen.com/english/advisories/2007/3895nvd
- www.vupen.com/english/advisories/2008/0609nvd
- www.vupen.com/english/advisories/2008/1856/referencesnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/36946nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5899nvd
News mentions
0No linked articles in our index yet.