Strix
26.1K

CVE-2012-4540

UnknownEPSS 3.44%

Last modified

CVE-2012-4540 is a vulnerability of currently unknown severity. Off-by-one error in the invoke function in IcedTeaScriptablePluginObject.cc in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.x before 1.4.1 allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly execute arbitrary code via a crafted webpage that triggers a heap-based buffer overflow, related to an error message and a "triggering event attached to applet." NOTE: the 1.4.x versions were originally associated with CVE-2013-4349, but that entry has been MERGED with this one.. EPSS estimates a 3.44% chance of exploitation in the next 30 days.

Description

Off-by-one error in the invoke function in IcedTeaScriptablePluginObject.cc in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.x before 1.4.1 allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly execute arbitrary code via a crafted webpage that triggers a heap-based buffer overflow, related to an error message and a "triggering event attached to applet." NOTE: the 1.4.x versions were originally associated with CVE-2013-4349, but that entry has been MERGED with this one.

Metrics

EPSS Probability
3.44%

87.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
OpensuseOpensuse13.1
OpensuseOpensuse13.2
RedhatIcedtea-Web1.1
RedhatIcedtea-Web1.1.1
RedhatIcedtea-Web1.1.2
RedhatIcedtea-Web1.1.3
RedhatIcedtea-Web1.1.4
RedhatIcedtea-Web1.1.5
RedhatIcedtea-Web1.1.6
RedhatIcedtea-Web1.2
RedhatIcedtea-Web1.2.1
RedhatIcedtea-Web1.3

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2012-4540?
Off-by-one error in the invoke function in IcedTeaScriptablePluginObject.cc in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.x before 1.4.1 allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly execute arbitrary code via a crafted webpage that triggers a heap-based buffer overflow, related to an error message and a "triggering event attached to applet." NOTE: the 1.4.x versions were originally associated with CVE-2013-4349, but that entry has been MERGED with this one.
How severe is CVE-2012-4540?
Severity scoring for CVE-2012-4540 is pending analysis. The EPSS model estimates a 3.44% probability of exploitation in the next 30 days.
How do I fix CVE-2012-4540?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2012-4540?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST