Published: 31/07/2019 Updated: 12/02/2023

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

Vulnerable Product	Search on Vulmon	Subscribe to Product
icedtea-web project icedtea-web
icedtea-web project icedtea-web 1.8.2
redhat enterprise linux desktop 7.0
redhat enterprise linux workstation 7.0
redhat enterprise linux server 7.0
redhat enterprise linux server eus 7.6
redhat enterprise linux server aus 7.6

Debian Bug report logs - #934319 CVE-2019-10181 CVE-2019-10182 CVE-2019-10185 Package: src:icedtea-web; Maintainer for src:icedtea-web is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Fri, 9 Aug 2019 16:15:05 UTC Severity: grave Tags: s ...

Synopsis Important: icedtea-web security update Type/Severity Security Advisory: Important Topic An update for icedtea-web is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...

Synopsis Important: icedtea-web security update Type/Severity Security Advisory: Important Topic An update for icedtea-web is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...

Impact: Important Public Date: 2019-07-31 CWE: CWE-22->CWE-94 Bugzilla: 1724958: CVE-2019-10182 iced ...

It was found that icedtea-web did not properly sanitize paths from <jar/> elements in JNLP files An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user ...

oss-sec mailing list archives   By Date By Thread </form>    icedtea-web: CVE-2019-10181 CVE-2019-10182 CVE-2019-10185   From: Cedric ...

Hosting proof of concept exploit code of the remote code execution vulnerabilities in the IcedTea-Web Java webstart implementation.

icedtea-web-vulnerabilities Hosting proof of concept exploit code of the remote code execution vulnerabilities in the IcedTea-Web Java webstart implementation IcedTea-Web IcedTeaWeb is an open source implementation of JSR-56 that is better known as Java Web Start It is currently maintained by RedHat and is included into the Windows packages of OpenJDK by default Three securi

CWE-22 CWE-94 https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327 https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html https://seclists.org/bugtraq/2019/Oct/5 http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934319 https://nvd.nist.gov https://github.com/irsl/icedtea-web-vulnerabilities https://access.redhat.com/security/cve/cve-2019-10182

CVE-2019-10182

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect