CVE-2009-1190 - Vulnerability Details

Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Springsource	Dm Server Spring Framework
Sun	Jdk

Configuration 1 [-]

AND

OR	cpe:2.3:a:sun:jdk::update_22::::::*
	cpe:2.3:a:sun:jdk:1.1.0:::::::*
	cpe:2.3:a:sun:jdk:1.1.6:::::::*
	cpe:2.3:a:sun:jdk:1.1.6:update7::::::
	cpe:2.3:a:sun:jdk:1.1.7b:::::::*
	cpe:2.3:a:sun:jdk:1.1.7b:update5::::::
	cpe:2.3:a:sun:jdk:1.1.8:update10::::::
	cpe:2.3:a:sun:jdk:1.1.8:update13::::::
	cpe:2.3:a:sun:jdk:1.1.8:update14::::::
	cpe:2.3:a:sun:jdk:1.1.8:update2::::::
	cpe:2.3:a:sun:jdk:1.1.8:update7::::::
	cpe:2.3:a:sun:jdk:1.1.8:update8::::::
	cpe:2.3:a:sun:jdk:1.2.0:::::::*
	cpe:2.3:a:sun:jdk:1.2.1:::::::*
	cpe:2.3:a:sun:jdk:1.2.1:update3::::::
	cpe:2.3:a:sun:jdk:1.2.2:update4::::::
	cpe:2.3:a:sun:jdk:1.2.2:update5::::::
	cpe:2.3:a:sun:jdk:1.3.0:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_01:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_02:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_03:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_04:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_05:::::::*
	cpe:2.3:a:sun:jdk:1.3.1:::::::*
	cpe:2.3:a:sun:jdk:1.3.1:update19::::::
	cpe:2.3:a:sun:jdk:1.3.1:update20::::::
	cpe:2.3:a:sun:jdk:1.3.1_01:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_01a:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_02:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_03:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_04:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_05:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_06:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_07:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_08:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_09:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_10:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_11:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_12:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_13:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_14:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_15:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_16:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_17:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_18:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_19:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_20:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_21:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_22:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_23:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_24:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_25:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_26:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_27:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_28:::::::*
	cpe:2.3:a:sun:jdk:1.4.0:::::::*
	cpe:2.3:a:sun:jdk:1.4.0_01:::::::*
	cpe:2.3:a:sun:jdk:1.4.0_02:::::::*
	cpe:2.3:a:sun:jdk:1.4.0_03:::::::*
	cpe:2.3:a:sun:jdk:1.4.0_04:::::::*
	cpe:2.3:a:sun:jdk:1.4.1:::::::*
	cpe:2.3:a:sun:jdk:1.4.1_01:::::::*
	cpe:2.3:a:sun:jdk:1.4.1_02:::::::*
	cpe:2.3:a:sun:jdk:1.4.1_03:::::::*
cpe:2.3:a:sun:jdk:1.4.1_04:::::::*
cpe:2.3:a:sun:jdk:1.4.1_05:::::::*
cpe:2.3:a:sun:jdk:1.4.1_06:::::::*
cpe:2.3:a:sun:jdk:1.4.1_07:::::::*
cpe:2.3:a:sun:jdk:1.4.2:::::::*
cpe:2.3:a:sun:jdk:1.4.2_1:::::::*
cpe:2.3:a:sun:jdk:1.4.2_2:::::::*
cpe:2.3:a:sun:jdk:1.4.2_3:::::::*
cpe:2.3:a:sun:jdk:1.4.2_4:::::::*
cpe:2.3:a:sun:jdk:1.4.2_5:::::::*
cpe:2.3:a:sun:jdk:1.4.2_6:::::::*
cpe:2.3:a:sun:jdk:1.4.2_7:::::::*
cpe:2.3:a:sun:jdk:1.4.2_8:::::::*
cpe:2.3:a:sun:jdk:1.4.2_9:::::::*
cpe:2.3:a:sun:jdk:1.4.2_10:::::::*
cpe:2.3:a:sun:jdk:1.4.2_11:::::::*
cpe:2.3:a:sun:jdk:1.4.2_12:::::::*
cpe:2.3:a:sun:jdk:1.4.2_13:::::::*
cpe:2.3:a:sun:jdk:1.4.2_14:::::::*
cpe:2.3:a:sun:jdk:1.4.2_15:::::::*
cpe:2.3:a:sun:jdk:1.4.2_16:::::::*
cpe:2.3:a:sun:jdk:1.4.2_17:::::::*
cpe:2.3:a:sun:jdk:1.4.2_18:::::::*
cpe:2.3:a:sun:jdk:1.4.2_19:::::::*
cpe:2.3:a:sun:jdk:1.5.0:::::::*
cpe:2.3:a:sun:jdk:1.5.0:update_1::::::
cpe:2.3:a:sun:jdk:1.5.0:update_10::::::
cpe:2.3:a:sun:jdk:1.5.0:update_11::::::
cpe:2.3:a:sun:jdk:1.5.0:update_12::::::
cpe:2.3:a:sun:jdk:1.5.0:update_13::::::
cpe:2.3:a:sun:jdk:1.5.0:update_14::::::
cpe:2.3:a:sun:jdk:1.5.0:update_15::::::
cpe:2.3:a:sun:jdk:1.5.0:update_16::::::
cpe:2.3:a:sun:jdk:1.5.0:update_17::::::
cpe:2.3:a:sun:jdk:1.5.0:update_18::::::
cpe:2.3:a:sun:jdk:1.5.0:update_19::::::
cpe:2.3:a:sun:jdk:1.5.0:update_2::::::
cpe:2.3:a:sun:jdk:1.5.0:update_20::::::
cpe:2.3:a:sun:jdk:1.5.0:update_21::::::
cpe:2.3:a:sun:jdk:1.5.0:update_3::::::
cpe:2.3:a:sun:jdk:1.5.0:update_4::::::
cpe:2.3:a:sun:jdk:1.5.0:update_5::::::
cpe:2.3:a:sun:jdk:1.5.0:update_6::::::
cpe:2.3:a:sun:jdk:1.5.0:update_7::::::
cpe:2.3:a:sun:jdk:1.5.0:update_8::::::
cpe:2.3:a:sun:jdk:1.5.0:update_9::::::
cpe:2.3:a:sun:jdk:1.5.0:update1::::::
cpe:2.3:a:sun:jdk:1.5.0:update10::::::
cpe:2.3:a:sun:jdk:1.5.0:update11::::::
cpe:2.3:a:sun:jdk:1.5.0:update11_b03::::::
cpe:2.3:a:sun:jdk:1.5.0:update12::::::
cpe:2.3:a:sun:jdk:1.5.0:update13::::::
cpe:2.3:a:sun:jdk:1.5.0:update14::::::
cpe:2.3:a:sun:jdk:1.5.0:update15::::::
cpe:2.3:a:sun:jdk:1.5.0:update16::::::
cpe:2.3:a:sun:jdk:1.5.0:update17::::::
cpe:2.3:a:sun:jdk:1.5.0:update18::::::
cpe:2.3:a:sun:jdk:1.5.0:update19::::::
cpe:2.3:a:sun:jdk:1.5.0:update2::::::
cpe:2.3:a:sun:jdk:1.5.0:update20::::::
cpe:2.3:a:sun:jdk:1.5.0:update21::::::
cpe:2.3:a:sun:jdk:1.5.0:update22::::::
cpe:2.3:a:sun:jdk:1.5.0:update23::::::
cpe:2.3:a:sun:jdk:1.5.0:update24::::::
cpe:2.3:a:sun:jdk:1.5.0:update25::::::
cpe:2.3:a:sun:jdk:1.5.0:update3::::::
cpe:2.3:a:sun:jdk:1.5.0:update4::::::
cpe:2.3:a:sun:jdk:1.5.0:update5::::::
cpe:2.3:a:sun:jdk:1.5.0:update6::::::
cpe:2.3:a:sun:jdk:1.5.0:update7::::::
cpe:2.3:a:sun:jdk:1.5.0:update7_b03::::::
cpe:2.3:a:sun:jdk:1.5.0:update8::::::
cpe:2.3:a:sun:jdk:1.5.0:update9::::::
cpe:2.3:a:sun:jdk:1.5.0_03::solaris:::::
cpe:2.3:a:sun:jdk:1.5.0_03::windows:::::

OR	cpe:2.3:a:springsource:dm_server:1.0.0:::::::*
	cpe:2.3:a:springsource:dm_server:1.0.1:::::::*
	cpe:2.3:a:springsource:dm_server:1.0.2:::::::*
	cpe:2.3:a:springsource:spring_framework:1.1.0:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0:m1::::::
	cpe:2.3:a:springsource:spring_framework:2.0:m2::::::
	cpe:2.3:a:springsource:spring_framework:2.0:m3::::::
	cpe:2.3:a:springsource:spring_framework:2.0:m4::::::
	cpe:2.3:a:springsource:spring_framework:2.0:m5::::::
	cpe:2.3:a:springsource:spring_framework:2.0:rc1::::::
	cpe:2.3:a:springsource:spring_framework:2.0:rc2::::::
	cpe:2.3:a:springsource:spring_framework:2.0:rc3::::::
	cpe:2.3:a:springsource:spring_framework:2.0:rc4::::::
	cpe:2.3:a:springsource:spring_framework:2.0.1:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0.2:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0.3:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0.4:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0.5:::::::*
	cpe:2.3:a:springsource:spring_framework:2.1:m1::::::
	cpe:2.3:a:springsource:spring_framework:2.1:m2::::::
	cpe:2.3:a:springsource:spring_framework:2.1:m3::::::
	cpe:2.3:a:springsource:spring_framework:2.1:m4::::::
	cpe:2.3:a:springsource:spring_framework:2.5.0:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.0:rc1::::::
	cpe:2.3:a:springsource:spring_framework:2.5.0:rc2::::::
	cpe:2.3:a:springsource:spring_framework:2.5.1:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.2:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.3:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.4:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.5:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.6:::::::*
	cpe:2.3:a:springsource:spring_framework:3.0.0:m1::::::
	cpe:2.3:a:springsource:spring_framework:3.0.0:m2::::::

No data.

References

Link	Providers
http://secunia.com/advisories/34892
http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
http://www.securityfocus.com/archive/1/502926/100/0/threaded
http://www.springsource.com/securityadvisory
https://bugzilla.redhat.com/show_bug.cgi?id=497161
https://exchange.xforce.ibmcloud.com/vulnerabilities/50083
https://www.cve.org/CVERecord?id=CVE-2009-1190

History

Wed, 28 May 2025 14:45:00 +0000

Type	Values Removed	Values Added
References		https://www.cve.org/CVERecord?id=CVE-2009-1190

Thu, 22 May 2025 04:30:00 +0000

Type	Values Removed	Values Added
References	https://nvd.nist.gov/vuln/detail/CVE-2009-1190 https://www.cve.org/CVERecord?id=CVE-2009-1190

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-04-27T22:00:00

Updated: 2024-08-07T05:04:49.369Z

Reserved: 2009-03-31T00:00:00

Link: CVE-2009-1190

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2009-04-27T22:30:00.267

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-1190

Redhat

Severity : Moderate

Publid Date: 2009-04-22T00:00:00Z

Links: CVE-2009-1190 - Bugzilla

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object