Subscribe via feed.

Oracle Java SE Wv8u131 Information Disclosure

Posted by deepcore on November 3, 2017 – 6:06 pm

Oracle Java SE installs a protocol handler in the registry as “HKEY_CLASSES_ROOTjnlpShellOpenCommandDefault” ‘C:Program FilesJavajre1.8.0_131binjp2launcher.exe” -securejws “%1″‘. This can allow allow an attacker to launch remote jnlp files with little user interaction. A malicious jnlp file containing a crafted XML XXE attack can be leveraged to disclose files, cause a denial of service or trigger SSRF. Versions v8u131 and below are affected.


This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.