Vulnerability CVE-2019-10182


Published: 2019-07-31

Description:
It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

Type:

CWE-22

(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

Vendor: Redhat
Product: Enterprise linux server eus 
Version: 7.6;
Product: Enterprise linux server aus 
Version: 7.6;
Product: Enterprise linux desktop 
Version: 7.0;
Product: Enterprise linux workstation 
Version: 7.0;
Product: Enterprise linux server 
Version: 7.0;
Vendor: Icedtea-web project
Product: Icedtea-web 
Version: 1.8.2; 1.7.2;

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.8/10
4.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
Partial

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182
https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344

Copyright 2019, cxsecurity.com

 

Back to Top