CVE-2015-2619

Unspecified vulnerability in Oracle Java SE 7u80 and 8u45, JavaFX 2.2.80, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via unknown vectors related to 2D.

Published: 2015-07-16 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2015-2619 is rated Moderate Risk (49.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 3.20%). Mandatory action: Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2015-2619

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-07-05 3.68% 3.20% -0.48%
2 2026-06-15 1.96% 3.68% +1.72%
3 2026-05-13 1.96%

Full EPSS history (19 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2015-2619

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:N)
No availability impact.
10.0 2.9 [email protected]

Weakness enumeration for CVE-2015-2619

OS Trackers for CVE-2015-2619

vendor priority summary link
debian unimportant CVE-2015-2619 unimportant priority: Debian including 1 source packages (openjdk-8), 1 status rows across 1 suites (sid): resolved 1. https://security-tracker.debian.org/tracker/CVE-2015-2619
gentoo normal CVE-2015-2619: 1 GLSA(s) (201603-11), 2 atom(s) (dev-java/oracle-jdk-bin, dev-java/oracle-jre-bin); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2015-2619
redhat medium https://access.redhat.com/security/cve/CVE-2015-2619
suse high CVE-2015-2619 severity important: SUSE including 156 source package names (java-1_7_0-ibm-1.7.0_sr9.10-9.1, java-1_7_0-ibm-alsa-1.7.0_sr9.10-9.1, …), 348 product×package rows across 73 product lines (HPE Helion OpenStack 8, Image SLES12-SP5-Azure-SAP-BYOS, … (73 product lines)): Fixed 227, Known Not Affected 121. https://www.suse.com/security/cve/CVE-2015-2619/
ubuntu low CVE-2015-2619 low priority: Ubuntu including 3 source packages (openjdk-6, openjdk-7, openjdk-8), 15 status rows across 5 suites (precise, trusty, upstream, utopic, vivid): not-affected 8, DNE 4, ignored 3. https://ubuntu.com/security/CVE-2015-2619

NVD evaluator notes for CVE-2015-2619

Comment: Per Advisory: <a href="http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html">Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets. </a>

Affected software / configurations for CVE-2015-2619

Vendor Product Version Raw CPE
oracle javafx 2.2.80 cpe:2.3:a:oracle:javafx:2.2.80:*:*:*:*:*:*:*
oracle jdk 1.7.0 cpe:2.3:a:oracle:jdk:1.7.0:update75:*:*:*:*:*:*
oracle jdk 1.7.0 cpe:2.3:a:oracle:jdk:1.7.0:update80:*:*:*:*:*:*
oracle jdk 1.8.0 cpe:2.3:a:oracle:jdk:1.8.0:update_33:*:*:*:*:*:*
oracle jdk 1.8.0 cpe:2.3:a:oracle:jdk:1.8.0:update45:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update_75:*:*:*:*:*:*
oracle jre 1.7.0 cpe:2.3:a:oracle:jre:1.7.0:update_80:*:*:*:*:*:*
oracle jre 1.8.0 cpe:2.3:a:oracle:jre:1.8.0:update_33:*:*:*:*:*:*
oracle jre 1.8.0 cpe:2.3:a:oracle:jre:1.8.0:update_45:*:*:*:*:*:*

References for CVE-2015-2619

cvelogic Threat Intelligence