Published: 31/07/2019 Updated: 12/02/2023

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

CVSS v3 Base Score: 8.6 | Impact Score: 4 | Exploitability Score: 3.9

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

Vulnerable Product	Search on Vulmon	Subscribe to Product
icedtea-web project icedtea-web
icedtea-web project icedtea-web 1.8.2
debian debian linux 8.0
opensuse leap 15.0

Debian Bug report logs - #934319 CVE-2019-10181 CVE-2019-10182 CVE-2019-10185 Package: src:icedtea-web; Maintainer for src:icedtea-web is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Fri, 9 Aug 2019 16:15:05 UTC Severity: grave Tags: s ...

Synopsis Important: icedtea-web security update Type/Severity Security Advisory: Important Topic An update for icedtea-web is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...

Synopsis Important: icedtea-web security update Type/Severity Security Advisory: Important Topic An update for icedtea-web is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...

Impact: Important Public Date: 2019-07-31 CWE: CWE-22 Bugzilla: 1724989: CVE-2019-10185 icedtea-web: di ...

It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file An attacker could use this flaw to write files to arbitrary locations This could also be used to replace the main running application and, possibly, break out of the sandbox ...

oss-sec mailing list archives   By Date By Thread </form>    icedtea-web: CVE-2019-10181 CVE-2019-10182 CVE-2019-10185   From: Cedric ...

Hosting proof of concept exploit code of the remote code execution vulnerabilities in the IcedTea-Web Java webstart implementation.

icedtea-web-vulnerabilities Hosting proof of concept exploit code of the remote code execution vulnerabilities in the IcedTea-Web Java webstart implementation IcedTea-Web IcedTeaWeb is an open source implementation of JSR-56 that is better known as Java Web Start It is currently maintained by RedHat and is included into the Windows packages of OpenJDK by default Three securi

CWE-22 https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327 https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185 http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html https://seclists.org/bugtraq/2019/Oct/5 http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html https://security.gentoo.org/glsa/202107-51 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934319 https://nvd.nist.gov https://github.com/irsl/icedtea-web-vulnerabilities https://access.redhat.com/security/cve/cve-2019-10185

CVE-2019-10185

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect