Unrated severityNVD Advisory· Published Nov 5, 2009· Updated Jun 16, 2026
CVE-2009-3866
CVE-2009-3866
Description
The Java Web Start Installer in Sun Java SE in JDK and JRE 6 before Update 17 does not properly use security model permissions when removing installer extensions, which allows remote attackers to execute arbitrary code by modifying a certain JNLP file to have a URL field that points to an unintended trusted application, aka Bug Id 6872824.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
32cpe:2.3:a:sun:jdk:1.6.0:update_1:*:*:*:*:*:*+ 14 more
- cpe:2.3:a:sun:jdk:1.6.0:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jdk:1.6.0:update_9:*:*:*:*:*:*
cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_8:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*
- Range: <6u17
Patches
Vulnerability mechanics
References
19- sunsolve.sun.com/search/document.donvdPatchVendor Advisory
- www.vupen.com/english/advisories/2009/3131nvdPatchVendor Advisory
- zerodayinitiative.com/advisories/ZDI-09-077/nvdPatch
- java.sun.com/javase/6/webnotes/6u17.htmlnvdVendor Advisory
- secunia.com/advisories/37231nvdVendor Advisory
- lists.apple.com/archives/security-announce/2009/Dec/msg00000.htmlnvd
- lists.apple.com/archives/security-announce/2009/Dec/msg00001.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2009-11/msg00010.htmlnvd
- marc.infonvd
- secunia.com/advisories/37239nvd
- secunia.com/advisories/37386nvd
- secunia.com/advisories/37581nvd
- secunia.com/advisories/37841nvd
- security.gentoo.org/glsa/glsa-200911-02.xmlnvd
- support.apple.com/kb/HT3969nvd
- support.apple.com/kb/HT3970nvd
- www.redhat.com/support/errata/RHSA-2009-1694.htmlnvd
- www.securityfocus.com/bid/36881nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6635nvd
News mentions
0No linked articles in our index yet.