CVE-2013-2471 [Critical] | Security Bypass in Jre

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect IntegerComponentRaster size checks."

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-07-02	45.72%	40.07%	-5.65%
2	2025-06-04	42.05%	45.72%	+3.67%
3	2025-03-30	—	42.05%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-07-02

45.72%

40.07%

-5.65%

2025-06-04

42.05%

45.72%

+3.67%

2025-03-30

—

42.05%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
10.0	2.0	HIGH	`AV:N/AC:L/Au:N/C:C/I:C/A:C` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:C) Complete confidentiality impact. Integrity impact (I:C) Complete integrity impact. Availability impact (A:C) Complete availability impact.	10.0	10.0	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

10.0

2.0

HIGH

AV:N/AC:L/Au:N/C:C/I:C/A:C Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:C): Complete confidentiality impact.
Integrity impact (I:C): Complete integrity impact.
Availability impact (A:C): Complete availability impact.

10.0

[email protected]

OS Trackers for CVE-2013-2471

vendor	priority	summary	link
`gentoo`	high	CVE-2013-2471: 2 GLSA(s) (201401-30, 201406-32), 6 atom(s) (app-emulation/emul-linux-x86-java, dev-java/icedtea-bin, dev-java/oracle-jdk-bin, dev-java/oracle-jre-bin, dev-java/sun-jdk, dev-java/sun-jre-bin); latest impact high.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-2471
`redhat`	critical	—	https://access.redhat.com/security/cve/CVE-2013-2471
`ubuntu`	medium	CVE-2013-2471 medium priority: Ubuntu including 3 source packages (openjdk-6, openjdk-6b18, openjdk-7), 15 status rows across 5 suites (lucid, precise, quantal, raring, upstream): released 7, DNE 4, pending 2, ignored 1, needs-triage 1.	https://ubuntu.com/security/CVE-2013-2471

Affected software / configurations for CVE-2013-2471

Vendor	Product	Version	Raw CPE
oracle	jre	<= 1.7.0	cpe:2.3:a:oracle:jre::update21::::::*
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:::::::*
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update1::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update10::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update11::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update13::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update15::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update17::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update2::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update3::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update4::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update5::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update6::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update7::::::
oracle	jre	1.7.0	cpe:2.3:a:oracle:jre:1.7.0:update9::::::
oracle	jdk	<= 1.7.0	cpe:2.3:a:oracle:jdk::update21::::::*
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:::::::*
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update1::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update10::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update11::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update13::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update15::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update17::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update2::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update3::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update4::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update5::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update6::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update7::::::
oracle	jdk	1.7.0	cpe:2.3:a:oracle:jdk:1.7.0:update9::::::
oracle	jre	<= 1.6.0	cpe:2.3:a:oracle:jre::update45::::::*
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update22::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update23::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update24::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update25::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update26::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update27::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update29::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update30::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update31::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update32::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update33::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update34::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update35::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update37::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update38::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update39::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update41::::::
oracle	jre	1.6.0	cpe:2.3:a:oracle:jre:1.6.0:update43::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:::::::*
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_1::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_10::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_11::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_12::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_13::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_14::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_15::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_16::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_17::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_18::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_19::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_2::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_20::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_21::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_3::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_4::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_5::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_6::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_7::::::
sun	jre	1.6.0	cpe:2.3:a:sun:jre:1.6.0:update_9::::::
oracle	jdk	<= 1.6.0	cpe:2.3:a:oracle:jdk::update45::::::*
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update22::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update23::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update24::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update25::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update26::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update27::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update29::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update30::::::
oracle	jdk	1.6.0	cpe:2.3:a:oracle:jdk:1.6.0:update31::::::

References for CVE-2013-2471

URL	Tags
http://advisories.mageia.org/MGASA-2013-0185.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/4c3d38927a26
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html
http://marc.info/?l=bugtraq&m=137545505800971&w=2
http://marc.info/?l=bugtraq&m=137545592101387&w=2
http://rhn.redhat.com/errata/RHSA-2013-0963.html
http://rhn.redhat.com/errata/RHSA-2013-1059.html
http://rhn.redhat.com/errata/RHSA-2013-1060.html
http://rhn.redhat.com/errata/RHSA-2013-1081.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://secunia.com/advisories/54154
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www-01.ibm.com/support/docview.wss?uid=swg21642336
http://www.mandriva.com/security/advisories?name=MDVSA-2013:183
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html	Vendor Advisory
http://www.securityfocus.com/bid/60659
http://www.us-cert.gov/ncas/alerts/TA13-169A	US Government Resource
https://access.redhat.com/errata/RHSA-2014:0414
https://bugzilla.redhat.com/show_bug.cgi?id=975102
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16840
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19295
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19413
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19441

URL

CVE-2013-2471

Exploit prediction scoring system (EPSS) score for CVE-2013-2471

Common vulnerability scoring system (CVSS) metrics for CVE-2013-2471

Weakness enumeration for CVE-2013-2471

OS Trackers for CVE-2013-2471

NVD evaluator notes for CVE-2013-2471

Affected software / configurations for CVE-2013-2471

References for CVE-2013-2471