Back to search
CVE-2019-10181
Published: Jul 31, 2019
Modified: Aug 4, 2024
PUBLISHED
CVSS v3.0
6.3
MEDIUM
Description
It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.
| Vendor | Product | Versions |
|---|---|---|
IcedTea | icedtea-web | affected affects up to and including 1.7.2 and 1.8.2 |
Weaknesses (CWE)
CVSS v3.0 Details
CVSS v3.0 Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
References
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
x_refsource_CONFIRM
https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181
x_refsource_CONFIRM
openSUSE-SU-2019:1911
vendor-advisory
x_refsource_SUSE
[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update
mailing-list
x_refsource_MLIST
20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE
mailing-list
x_refsource_BUGTRAQ
GLSA-202107-51
vendor-advisory
x_refsource_GENTOO
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now