Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for icedtea-web by IcedTea

    CVE-2019-10185 (GCVE-0-2019-10185)

    Vulnerability from nvd – Published: 2019-07-31 21:50 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    IcedTea icedtea-web Affected: affects up to and including 1.7.2 and 1.8.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:10.092Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185"
              },
              {
                "name": "openSUSE-SU-2019:1911",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
              },
              {
                "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
              },
              {
                "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Oct/5"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
              },
              {
                "name": "GLSA-202107-51",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202107-51"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "icedtea-web",
              "vendor": "IcedTea",
              "versions": [
                {
                  "status": "affected",
                  "version": "affects up to and including 1.7.2 and 1.8.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-24T04:06:34.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185"
            },
            {
              "name": "openSUSE-SU-2019:1911",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
            },
            {
              "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
            },
            {
              "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Oct/5"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
            },
            {
              "name": "GLSA-202107-51",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/202107-51"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-10185",
        "datePublished": "2019-07-31T21:50:57.000Z",
        "dateReserved": "2019-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:10.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-10181 (GCVE-0-2019-10181)

    Vulnerability from nvd – Published: 2019-07-31 21:56 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    IcedTea icedtea-web Affected: affects up to and including 1.7.2 and 1.8.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:09.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181"
              },
              {
                "name": "openSUSE-SU-2019:1911",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
              },
              {
                "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
              },
              {
                "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Oct/5"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
              },
              {
                "name": "GLSA-202107-51",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202107-51"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "icedtea-web",
              "vendor": "IcedTea",
              "versions": [
                {
                  "status": "affected",
                  "version": "affects up to and including 1.7.2 and 1.8.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-24T04:06:32.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181"
            },
            {
              "name": "openSUSE-SU-2019:1911",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
            },
            {
              "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
            },
            {
              "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Oct/5"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
            },
            {
              "name": "GLSA-202107-51",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/202107-51"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-10181",
        "datePublished": "2019-07-31T21:56:11.000Z",
        "dateReserved": "2019-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:09.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-10182 (GCVE-0-2019-10182)

    Vulnerability from nvd – Published: 2019-07-31 21:52 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.
    Assigner
    Impacted products
    Vendor Product Version
    IcedTea icedtea-web Affected: affects up to and including 1.7.2 and 1.8.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:09.992Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
              },
              {
                "name": "openSUSE-SU-2019:1911",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
              },
              {
                "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
              },
              {
                "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Oct/5"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "icedtea-web",
              "vendor": "IcedTea",
              "versions": [
                {
                  "status": "affected",
                  "version": "affects up to and including 1.7.2 and 1.8.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from \u003cjar/\u003e elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-10-07T16:06:08.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
            },
            {
              "name": "openSUSE-SU-2019:1911",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
            },
            {
              "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
            },
            {
              "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Oct/5"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-10182",
        "datePublished": "2019-07-31T21:52:39.000Z",
        "dateReserved": "2019-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:09.992Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-10181 (GCVE-0-2019-10181)

    Vulnerability from cvelistv5 – Published: 2019-07-31 21:56 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    IcedTea icedtea-web Affected: affects up to and including 1.7.2 and 1.8.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:09.998Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181"
              },
              {
                "name": "openSUSE-SU-2019:1911",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
              },
              {
                "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
              },
              {
                "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Oct/5"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
              },
              {
                "name": "GLSA-202107-51",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202107-51"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "icedtea-web",
              "vendor": "IcedTea",
              "versions": [
                {
                  "status": "affected",
                  "version": "affects up to and including 1.7.2 and 1.8.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-24T04:06:32.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181"
            },
            {
              "name": "openSUSE-SU-2019:1911",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
            },
            {
              "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
            },
            {
              "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Oct/5"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
            },
            {
              "name": "GLSA-202107-51",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/202107-51"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-10181",
        "datePublished": "2019-07-31T21:56:11.000Z",
        "dateReserved": "2019-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:09.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-10182 (GCVE-0-2019-10182)

    Vulnerability from cvelistv5 – Published: 2019-07-31 21:52 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.
    Assigner
    Impacted products
    Vendor Product Version
    IcedTea icedtea-web Affected: affects up to and including 1.7.2 and 1.8.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:09.992Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
              },
              {
                "name": "openSUSE-SU-2019:1911",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
              },
              {
                "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
              },
              {
                "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Oct/5"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "icedtea-web",
              "vendor": "IcedTea",
              "versions": [
                {
                  "status": "affected",
                  "version": "affects up to and including 1.7.2 and 1.8.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from \u003cjar/\u003e elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-10-07T16:06:08.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
            },
            {
              "name": "openSUSE-SU-2019:1911",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
            },
            {
              "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
            },
            {
              "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Oct/5"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-10182",
        "datePublished": "2019-07-31T21:52:39.000Z",
        "dateReserved": "2019-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:09.992Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-10185 (GCVE-0-2019-10185)

    Vulnerability from cvelistv5 – Published: 2019-07-31 21:50 – Updated: 2024-08-04 22:10
    VLAI
    Summary
    It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    IcedTea icedtea-web Affected: affects up to and including 1.7.2 and 1.8.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T22:10:10.092Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185"
              },
              {
                "name": "openSUSE-SU-2019:1911",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
              },
              {
                "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
              },
              {
                "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
                "tags": [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
                  "x_transferred"
                ],
                "url": "https://seclists.org/bugtraq/2019/Oct/5"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
              },
              {
                "name": "GLSA-202107-51",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202107-51"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "icedtea-web",
              "vendor": "IcedTea",
              "versions": [
                {
                  "status": "affected",
                  "version": "affects up to and including 1.7.2 and 1.8.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-07-24T04:06:34.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185"
            },
            {
              "name": "openSUSE-SU-2019:1911",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"
            },
            {
              "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"
            },
            {
              "name": "20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE",
              "tags": [
                "mailing-list",
                "x_refsource_BUGTRAQ"
              ],
              "url": "https://seclists.org/bugtraq/2019/Oct/5"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"
            },
            {
              "name": "GLSA-202107-51",
              "tags": [
                "vendor-advisory",
                "x_refsource_GENTOO"
              ],
              "url": "https://security.gentoo.org/glsa/202107-51"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-10185",
        "datePublished": "2019-07-31T21:50:57.000Z",
        "dateReserved": "2019-03-27T00:00:00.000Z",
        "dateUpdated": "2024-08-04T22:10:10.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }