CVE-2013-2463 [Critical] | Security Bypass in Jre

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image attribute verification" in 2D.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-07-17	50.31%	44.66%	-5.65%
2	2025-06-04	46.66%	50.31%	+3.65%
3	2025-03-30	—	46.66%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-07-17

50.31%

44.66%

-5.65%

2025-06-04

46.66%

50.31%

+3.65%

2025-03-30

—

46.66%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
10.0	2.0	HIGH	`AV:N/AC:L/Au:N/C:C/I:C/A:C` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	10.0	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

10.0

2.0

HIGH

AV:N/AC:L/Au:N/C:C/I:C/A:C Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

10.0

[email protected]

OS Trackers for CVE-2013-2463

vendor	priority	summary	link
`gentoo`	high	CVE-2013-2463: 2 GLSA(s) (201401-30, 201406-32), 6 atom(s) (app-emulation/emul-linux-x86-java, dev-java/icedtea-bin, dev-java/oracle-jdk-bin, dev-java/oracle-jre-bin, dev-java/sun-jdk, dev-java/sun-jre-bin); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-2463
`redhat`	critical	—	https://access.redhat.com/security/cve/CVE-2013-2463
`ubuntu`	medium	CVE-2013-2463 medium priority: Ubuntu including 3 source packages (openjdk-6, openjdk-6b18, openjdk-7), 15 status rows across 5 suites (lucid, precise, quantal, raring, upstream): released 7, DNE 4, pending 2, ignored 1, needs-triage 1.	https://ubuntu.com/security/CVE-2013-2463

Affected software / configurations for CVE-2013-2463

Vendor	Product	Version	Raw CPE
oracle	jre	<= 1.7.0	cpe:2.3:a:oracle:jre::update21::::::*
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:::::::*
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update1::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update10::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update11::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update13::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update15::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update17::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update2::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update3::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update4::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update5::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update6::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update7::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update9::::::
oracle	jdk	<= 1.7.0	cpe:2.3:a:oracle:jdk::update21::::::*
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:::::::*
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update1::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update10::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update11::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update13::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update15::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update17::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update2::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update3::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update4::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update5::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update6::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update7::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update9::::::
oracle	jre	<= 1.6.0	cpe:2.3:a:oracle:jre::update45::::::*
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update22::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update23::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update24::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update25::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update26::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update27::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update29::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update30::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update31::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update32::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update33::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update34::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update35::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update37::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update38::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update39::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update41::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update43::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:::::::*
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_1::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_10::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_11::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_12::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_13::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_14::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_15::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_16::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_17::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_18::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_19::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_2::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_20::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_21::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_3::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_4::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_5::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_6::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_7::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_9::::::
oracle	jdk	<= 1.6.0	cpe:2.3:a:oracle:jdk::update45::::::*
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update22::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update23::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update24::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update25::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update26::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update27::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update29::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update30::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update31::::::

References for CVE-2013-2463

URL	Tags
http://advisories.mageia.org/MGASA-2013-0185.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b79d56eee18e
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html
http://marc.info/?l=bugtraq&m=137545505800971&w=2
http://marc.info/?l=bugtraq&m=137545592101387&w=2
http://rhn.redhat.com/errata/RHSA-2013-0963.html
http://rhn.redhat.com/errata/RHSA-2013-1059.html
http://rhn.redhat.com/errata/RHSA-2013-1060.html
http://rhn.redhat.com/errata/RHSA-2013-1081.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://secunia.com/advisories/54154
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www-01.ibm.com/support/docview.wss?uid=swg21642336
http://www.informationweek.com/security/vulnerabilities/hackers-target-java-6-with-security-expl/240160443
http://www.mandriva.com/security/advisories?name=MDVSA-2013:183
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html	Vendor Advisory
http://www.securityfocus.com/bid/60655
http://www.us-cert.gov/ncas/alerts/TA13-169A	US Government Resource
https://access.redhat.com/errata/RHSA-2014:0414
https://bugzilla.redhat.com/show_bug.cgi?id=975115
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17149
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19373
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19620
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19685

URL

CVE-2013-2463

Exploit prediction scoring system (EPSS) score for CVE-2013-2463

Common vulnerability scoring system (CVSS) metrics for CVE-2013-2463

Weakness enumeration for CVE-2013-2463

OS Trackers for CVE-2013-2463

NVD evaluator notes for CVE-2013-2463

Affected software / configurations for CVE-2013-2463

References for CVE-2013-2463