Impact: Important Public Date: 2019-07-31 CWE: CWE-22 Bugzilla: 1724989: CVE-2019-10185 icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.
Find out more about CVE-2019-10185 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 8.2 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality | None |
| Integrity Impact | High |
| Availability Impact | Low |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 8 | icedtea-web | Affected |
| Red Hat Enterprise Linux 7 | icedtea-web | Affected |
| Red Hat Enterprise Linux 6 | icedtea-web | Out of support scope |
Vulmon