Unrated severityNVD Advisory· Published Mar 25, 2009· Updated Apr 23, 2026

CVE-2009-1106

Description

The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12, 11, and 10 does not properly parse crossdomain.xml files, which allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unknown vectors, aka CR 6798948.

Affected products

Sun Corporation/Jdk3 versions
cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*
Sun Corporation/Jre3 versions
cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000