CVE-2013-2470 [Critical] | Security Bypass in Jre

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "ImagingLib byte lookup processing."

EDB-ID	Source	Kind	Published	Link
28050	exploit_db	edb	2013-09-03	Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

28050

exploit_db

edb

2013-09-03

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	54.41%	22.99%	-31.42%
2	2025-06-04	46.04%	54.41%	+8.37%
3	2025-05-26	—	46.04%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

54.41%

22.99%

-31.42%

2025-06-04

46.04%

54.41%

+8.37%

2025-05-26

—

46.04%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
10.0	2.0	HIGH	`AV:N/AC:L/Au:N/C:C/I:C/A:C` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	10.0	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

10.0

2.0

HIGH

AV:N/AC:L/Au:N/C:C/I:C/A:C Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

10.0

[email protected]

OS Trackers for CVE-2013-2470

vendor	priority	summary	link
`gentoo`	high	CVE-2013-2470: 2 GLSA(s) (201401-30, 201406-32), 6 atom(s) (app-emulation/emul-linux-x86-java, dev-java/icedtea-bin, dev-java/oracle-jdk-bin, dev-java/oracle-jre-bin, dev-java/sun-jdk, dev-java/sun-jre-bin); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-2470
`redhat`	critical	—	https://access.redhat.com/security/cve/CVE-2013-2470
`ubuntu`	medium	CVE-2013-2470 medium priority: Ubuntu including 3 source packages (openjdk-6, openjdk-6b18, openjdk-7), 15 status rows across 5 suites (lucid, precise, quantal, raring, upstream): released 7, DNE 4, pending 2, ignored 1, needs-triage 1.	https://ubuntu.com/security/CVE-2013-2470

Affected software / configurations for CVE-2013-2470

Vendor	Product	Version	Raw CPE
oracle	jre	<= 1.7.0	cpe:2.3:a:oracle:jre::update21::::::*
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:::::::*
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update1::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update10::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update11::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update13::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update15::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update17::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update2::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update3::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update4::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update5::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update6::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update7::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update9::::::
oracle	jdk	<= 1.7.0	cpe:2.3:a:oracle:jdk::update21::::::*
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:::::::*
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update1::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update10::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update11::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update13::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update15::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update17::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update2::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update3::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update4::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update5::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update6::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update7::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update9::::::
oracle	jre	<= 1.6.0	cpe:2.3:a:oracle:jre::update45::::::*
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update22::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update23::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update24::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update25::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update26::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update27::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update29::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update30::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update31::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update32::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update33::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update34::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update35::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update37::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update38::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update39::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update41::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update43::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:::::::*
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_1::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_10::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_11::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_12::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_13::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_14::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_15::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_16::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_17::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_18::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_19::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_2::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_20::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_21::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_3::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_4::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_5::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_6::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_7::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_9::::::
oracle	jdk	<= 1.6.0	cpe:2.3:a:oracle:jdk::update45::::::*
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update22::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update23::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update24::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update25::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update26::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update27::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update29::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update30::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update31::::::

References for CVE-2013-2470

URL	Tags
http://advisories.mageia.org/MGASA-2013-0185.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/89d9ec9e80c1
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html
http://marc.info/?l=bugtraq&m=137545505800971&w=2
http://marc.info/?l=bugtraq&m=137545592101387&w=2
http://rhn.redhat.com/errata/RHSA-2013-0963.html
http://rhn.redhat.com/errata/RHSA-2013-1059.html
http://rhn.redhat.com/errata/RHSA-2013-1060.html
http://rhn.redhat.com/errata/RHSA-2013-1081.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://secunia.com/advisories/54154
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www-01.ibm.com/support/docview.wss?uid=swg21642336
http://www.mandriva.com/security/advisories?name=MDVSA-2013:183
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html	Vendor Advisory
http://www.securityfocus.com/bid/60651
http://www.us-cert.gov/ncas/alerts/TA13-169A	US Government Resource
https://access.redhat.com/errata/RHSA-2014:0414
https://bugzilla.redhat.com/show_bug.cgi?id=975099
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16806
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19348
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19517
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19655

URL

CVE-2013-2470

Public exploit references (Exploit-DB) for CVE-2013-2470

Exploit prediction scoring system (EPSS) score for CVE-2013-2470

Common vulnerability scoring system (CVSS) metrics for CVE-2013-2470

Weakness enumeration for CVE-2013-2470

OS Trackers for CVE-2013-2470

NVD evaluator notes for CVE-2013-2470

Affected software / configurations for CVE-2013-2470

References for CVE-2013-2470