[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

250363

 
 

909

 
 

196124

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2019-10181Date: (C)2019-08-01   (M)2023-12-22


It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 8.1CVSS Score : 6.8
Exploit Score: 2.2Exploit Score: 8.6
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: HIGHAccess Complexity: MEDIUM
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
https://seclists.org/bugtraq/2019/Oct/5
GLSA-202107-51
https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html
http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181
https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
openSUSE-SU-2019:1911

CWE    1
CWE-345
OVAL    7
oval:org.secpod.oval:def:66451
oval:org.secpod.oval:def:1502638
oval:org.secpod.oval:def:205511
oval:org.secpod.oval:def:3300872
...

© SecPod Technologies