GSD-2008-5353 — Vulnetix

Try Vulnetix Request Demo

GSD-2008-5353 PUBLISHED

The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a

Timeline

Nov 21, 2007 CVE Published
Dec 3, 2008 PoC Published
May 20, 2009 PoC Published
Sep 20, 2010 PoC Published
Jan 8, 2011 PoC Published
May 29, 2018 PoC Published
Feb 6, 2025 PoC Published
Feb 13, 2025 PoC Published
Feb 23, 2025 PoC Published
Aug 31, 2025 PoC Published
Aug 31, 2025 PoC Published
Apr 15, 2026 Security Advisory

References

SSRT090049 vendor-advisory
SUSE-SA:2009:018 vendor-advisory
34259 third-party-advisory
ADV-2009-0672 vdb
RHSA-2008:1018 vendor-advisory
33015 third-party-advisory
http://support.avaya.com/elmodocs2/security/ASA-2009-012.htm url
34889 third-party-advisory
34233 third-party-advisory
1021313 vdb
GLSA-200911-02 vendor-advisory
http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/03/024431-01.pdf url
http://blog.cr0.org/2009/05/write-once-own-everyone.html url
SUSE-SA:2009:007 vendor-advisory
SSRT080111 vendor-advisory
38539 third-party-advisory
http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html url
34972 third-party-advisory
RHSA-2009:0466 vendor-advisory
SUSE-SR:2009:006 vendor-advisory

…and 22 more

Open in Interactive Console →