CVE-2013-2461

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier; the Oracle JRockit component in Oracle Fusion Middleware R27.7.5 and earlier and R28.2.7 and earlier; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June and July 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass verification of XML signatures via vectors related to a "Missing check for [a] valid DOMCanonicalizationMethod canonicalization algorithm."

Published: 2013-06-18 Last update: 2026-04-29 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2013-2461 is rated Moderate Risk (57.6/100): CVSS High severity, with high exploitation likelihood (EPSS 6.75%, 93th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2013-2461

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 70.90% 6.75% -64.15%
2 2026-01-15 64.06% 70.90% +6.84%
3 2025-03-30 64.06%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2013-2461

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2013-2461

OS Trackers for CVE-2013-2461

vendor priority summary link
gentoo high CVE-2013-2461: 2 GLSA(s) (201401-30, 201406-32), 6 atom(s) (app-emulation/emul-linux-x86-java, dev-java/icedtea-bin, dev-java/oracle-jdk-bin, dev-java/oracle-jre-bin, dev-java/sun-jdk, dev-java/sun-jre-bin); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-2461
redhat high https://access.redhat.com/security/cve/CVE-2013-2461
suse medium CVE-2013-2461 severity moderate: SUSE including 42 source package names (java-1_6_0-openjdk-1.6.0.0_b27.1.12.6-0.2.1, java-1_6_0-openjdk-demo-1.6.0.0_b27.1.12.6-0.2.1, …), 62 product×package rows across 17 product lines (SUSE Linux Enterprise Desktop 11 SP2, SUSE Linux Enterprise Desktop 11 SP3, … (17 product lines)): Fixed 62. https://www.suse.com/security/cve/CVE-2013-2461/
ubuntu medium CVE-2013-2461 medium priority: Ubuntu including 3 source packages (openjdk-6, openjdk-6b18, openjdk-7), 15 status rows across 5 suites (lucid, precise, quantal, raring, upstream): released 7, DNE 4, pending 2, ignored 1, needs-triage 1. https://ubuntu.com/security/CVE-2013-2461

NVD evaluator notes for CVE-2013-2461

Comment: Per: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html 'Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.'

Affected software / configurations for CVE-2013-2461

Vendor Product Version Raw CPE
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update23:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update24:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update25:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update26:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update27:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update29:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update30:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update31:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update32:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update33:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update34:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update35:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update37:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update38:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update39:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update41:*:*:*:*:*:*
oracle jdk 1.6.0 cpe:2.3:a:oracle:jdk:1.6.0:update43:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:*:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update1_b06:*:*:*:*:*:*
sun jdk 1.6.0 cpe:2.3:a:sun:jdk:1.6.0:update2:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
oracle jrockit >= r27.7.1, <= r27.7.5 cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:*
oracle jrockit >= r28.0.0, <= r28.2.7 cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:*
oracle openjdk 1.7.0 cpe:2.3:a:oracle:openjdk:1.7.0:*:*:*:*:*:*:*

References for CVE-2013-2461

URL Tags
http://advisories.mageia.org/MGASA-2013-0185.html Third Party Advisory
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/abe9ea5a50d2 Third Party Advisory
http://marc.info/?l=bugtraq&m=137545505800971&w=2 Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=137545592101387&w=2 Mailing List Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0963.html Third Party Advisory
http://seclists.org/fulldisclosure/2014/Dec/23 Mailing List Third Party Advisory
http://secunia.com/advisories/54154 Third Party Advisory
http://security.gentoo.org/glsa/glsa-201406-32.xml Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:183 Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html Vendor Advisory
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html Vendor Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Vendor Advisory
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html Vendor Advisory
http://www.securityfocus.com/archive/1/534161/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/60645 Third Party Advisory VDB Entry
http://www.us-cert.gov/ncas/alerts/TA13-169A Third Party Advisory US Government Resource
http://www.vmware.com/security/advisories/VMSA-2014-0012.html Third Party Advisory
https://access.redhat.com/errata/RHSA-2014:0414 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=975126 Issue Tracking Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16887 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19565 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19582 Third Party Advisory
cvelogic Threat Intelligence