6.8
CVSSv2

CVE-2010-4351

Published: 20/01/2011 Updated: 17/08/2017
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
VMScore: 605
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 prior to 1.7.7, 1.8 prior to 1.8.4, and 1.9 prior to 1.9.4 for Java OpenJDK returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent malicious users to bypass the intended security policy by creating instances of ClassLoader.

Affected Products

Vendor Product Versions
RedhatIcedtea1.7, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.8, 1.8.1, 1.8.2, 1.8.3, 1.9, 1.9.1, 1.9.2, 1.9.3

Vendor Advisories

It was discovered that the JNLP SecurityManager in IcedTea for Java OpenJDK in some instances failed to properly apply the intended scurity policy in its checkPermission method This could allow an attacker execute code with privileges that should have been prevented (CVE-2010-4351) ...
It was discovered that IcedTea for Java did not properly verify signatures when handling multiply signed or partially signed JAR files, allowing an attacker to cause code to execute that appeared to come from a verified source (CVE-2011-0025) ...
Several security vulnerabilities were discovered in OpenJDK, an implementation of the Java platform CVE-2010-4351 The JNLP SecurityManager returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creati ...