QwikSec

Security Database

CVE

CWE

Training

CVE-2019-10182

Published: Jul 31, 2019

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.0

8.2

HIGH

Description

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

Vendor	Product	Versions
IcedTea	icedtea-web	affected `affects up to and including 1.7.2 and 1.8.2`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

Low

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182

x_refsource_CONFIRM

https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344

x_refsource_CONFIRM

https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327

x_refsource_CONFIRM

openSUSE-SU-2019:1911

vendor-advisory

x_refsource_SUSE

[debian-lts-announce] 20190909 [SECURITY] [DLA 1914-1] icedtea-web security update

mailing-list

x_refsource_MLIST

20191007 CVE-2019-10181, CVE-2019-10182, CVE-2019-10185: IcedTea-Web vulnerabilities leading to RCE

mailing-list

x_refsource_BUGTRAQ

http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.