CVE-2007-6382: Robocode Arbitrary Code Execution
6.8
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.72508%
CWE
Published
5/1/2022
Updated
9/21/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
net.sf.robocode:robocode.core | maven | < 1.5.1 | 1.5.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Robocode's security manager granting blanket permissions to the Event Dispatch Thread (EDT). The patch in commit 2f2867d modified the checkPermission
method to restrict EDT access only to specific Robocode tools (Codesize and CacheCleaner) by inspecting the stack trace. The pre-patch version lacked this validation
, allowing untrusted robot code to execute privileged operations via the EDT. The CWE-94 (Code Injection) classification and exploit description directly align with this missing stack validation
in the security manager's permission check.