CVE-2019-10182
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
7.1 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
60.9%
It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.
| Vendor | Product | Version | CPE |
|---|---|---|---|
| icedtea-web_project | icedtea-web | * | cpe:2.3:a:icedtea-web_project:icedtea-web:*:*:*:*:*:*:*:* |
| icedtea-web_project | icedtea-web | * | cpe:2.3:a:icedtea-web_project:icedtea-web:*:*:*:*:*:*:*:* |
References
lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182
github.com/AdoptOpenJDK/IcedTea-Web/issues/327
github.com/AdoptOpenJDK/IcedTea-Web/pull/344
lists.debian.org/debian-lts-announce/2019/09/msg00008.html
seclists.org/bugtraq/2019/Oct/5
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
7.1 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
60.9%