Vulnerability CVE-2019-10181


Published: 2019-07-31

Description:
It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.

Type:

CWE-345

(Insufficient Verification of Data Authenticity)

Vendor: Icetea-web project
Product: Icetea-web 
Version: 1.8.2; 1.7.2;

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181
https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344

Copyright 2019, cxsecurity.com

 

Back to Top