Vulnerability CVE-2011-0706
Published: 2011-02-18   Modified: 2012-02-13

Description:
The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain privileges via unknown vectors related to multiple signers and the assignment of "an inappropriate security descriptor."

Type:

CWE-264

 (Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
SUN -> JDK 
Redhat -> Icedtea-web 

 References:
http://dbhole.wordpress.com/2011/02/15/icedtea-web-1-0-1-released/
https://bugzilla.redhat.com/show_bug.cgi?id=677332
http://xforce.iss.net/xforce/xfdb/65534
http://www.securityfocus.com/bid/46439
http://www.mandriva.com/security/advisories?name=MDVSA-2011:054
http://www.debian.org/security/2011/dsa-2224
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://secunia.com/advisories/43350
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:14117
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054134.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054115.html
Copyright 2024, cxsecurity.com

 

Back to Top