CVE-2007-2435

Sun Java Web Start in JDK and JRE 5.0 Update 10 and earlier, and Java Web Start in SDK and JRE 1.4.2_13 and earlier, allows remote attackers to perform unauthorized actions via an application that grants privileges to itself, related to "Incorrect Use of System Classes" and probably related to support for JNLP files.

Published: 2007-05-02 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2007-2435 is rated High Risk (72.1/100): CVSS Critical severity, with high exploitation likelihood (EPSS 4.96%, 91th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2007-2435

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 4.71% 4.96% +0.25%
2 2026-05-26 3.66% 4.71% +1.05%
3 2026-03-26 3.66%

Full EPSS history (19 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2007-2435

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
10.0 2.0 HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:C)
Complete confidentiality impact.
Integrity impact (I:C)
Complete integrity impact.
Availability impact (A:C)
Complete availability impact.
10.0 10.0 [email protected]

Weakness enumeration for CVE-2007-2435

OS Trackers for CVE-2007-2435

vendor priority summary link
gentoo normal CVE-2007-2435: 3 GLSA(s) (200705-23, 200706-08, 200804-20), 3 atom(s) (app-emulation/emul-linux-x86-java, dev-java/sun-jdk, dev-java/sun-jre-bin); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2007-2435
redhat critical https://access.redhat.com/security/cve/CVE-2007-2435
ubuntu medium CVE-2007-2435 medium priority: Ubuntu including 1 source packages (sun-java5), 9 status rows across 9 suites (dapper, edgy, feisty, gutsy, hardy, intrepid, jaunty, karmic, upstream): not-affected 5, ignored 2, DNE 1, needs-triage 1. https://ubuntu.com/security/CVE-2007-2435

NVD evaluator notes for CVE-2007-2435

Solution: The vendor has addressed this issue through product updates that can be found at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102881-1

Affected software / configurations for CVE-2007-2435

Vendor Product Version Raw CPE
sun java_enterprise_system <= 5.0 cpe:2.3:a:sun:java_enterprise_system:*:update10:*:*:*:*:*:*
sun jre <= 1.4.2 cpe:2.3:a:sun:jre:*:update13:*:*:*:*:*:*
sun jre <= 1.5.0 cpe:2.3:a:sun:jre:*:update10:*:*:*:*:*:*
sun sdk <= 1.4.3_13 cpe:2.3:a:sun:sdk:*:*:*:*:*:*:*:*

References for CVE-2007-2435

URL Tags
http://dev2dev.bea.com/pub/advisory/241
http://docs.info.apple.com/article.html?artnum=307177
http://lists.apple.com/archives/Security-announce/2007/Dec/msg00001.html
http://osvdb.org/35483
http://secunia.com/advisories/25069 Patch Vendor Advisory
http://secunia.com/advisories/25283
http://secunia.com/advisories/25413
http://secunia.com/advisories/25474
http://secunia.com/advisories/25832
http://secunia.com/advisories/26311
http://secunia.com/advisories/26369
http://secunia.com/advisories/28115
http://secunia.com/advisories/29858
http://secunia.com/advisories/30780
http://security.gentoo.org/glsa/glsa-200706-08.xml
http://security.gentoo.org/glsa/glsa-200804-28.xml
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102881-1 Patch Vendor Advisory
http://support.avaya.com/elmodocs2/security/ASA-2007-199.htm
http://www.gentoo.org/security/en/glsa/glsa-200705-23.xml
http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml
http://www.gentoo.org/security/en/glsa/glsa-200806-11.xml
http://www.redhat.com/support/errata/RHSA-2007-0817.html
http://www.redhat.com/support/errata/RHSA-2007-0829.html
http://www.redhat.com/support/errata/RHSA-2008-0261.html
http://www.securityfocus.com/bid/23728 Patch
http://www.securitytracker.com/id?1017986
http://www.vupen.com/english/advisories/2007/1598
http://www.vupen.com/english/advisories/2007/1814
http://www.vupen.com/english/advisories/2007/4224
https://exchange.xforce.ibmcloud.com/vulnerabilities/33984
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10999
cvelogic Threat Intelligence