ID SUSE_11_3_ICEDTEA-WEB-110721.NASL Type nessus Reporter Tenable Modified 2014-06-13T00:00:00
Description
This update of icedtea/icedtea-web fixes two issues :
CVE-2011-2513: CVSS v2 Base Score: 4.3: An information leak allows unsigned Web Start applications to determine the path to the cache directory used to store downloaded class and jar files.
CVE-2011-2514: CVSS v2 Base Score: 5.1 An unsigned Web Start application could manipulate content of the security warning dialog message to show different file name in prompts.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update icedtea-web-4910.
#
# The text description of this plugin is (C) SUSE LLC.
#
include("compat.inc");
if (description)
{
script_id(75528);
script_version("$Revision: 1.1 $");
script_cvs_date("$Date: 2014/06/13 21:55:23 $");
script_cve_id("CVE-2011-2513", "CVE-2011-2514");
script_name(english:"openSUSE Security Update : icedtea-web (openSUSE-SU-2011:0829-1)");
script_summary(english:"Check for the icedtea-web-4910 patch");
script_set_attribute(
attribute:"synopsis",
value:"The remote openSUSE host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"This update of icedtea/icedtea-web fixes two issues :
- CVE-2011-2513: CVSS v2 Base Score: 4.3: An information
leak allows unsigned Web Start applications to determine
the path to the cache directory used to store downloaded
class and jar files.
- CVE-2011-2514: CVSS v2 Base Score: 5.1 An unsigned Web
Start application could manipulate content of the
security warning dialog message to show different file
name in prompts."
);
script_set_attribute(
attribute:"see_also",
value:"http://lists.opensuse.org/opensuse-updates/2011-07/msg00032.html"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.novell.com/show_bug.cgi?id=704309"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected icedtea-web packages."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icedtea-web");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:icedtea-web-javadoc");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.3");
script_set_attribute(attribute:"patch_publication_date", value:"2011/07/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014 Tenable Network Security, Inc.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE11\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
flag = 0;
if ( rpm_check(release:"SUSE11.3", reference:"icedtea-web-1.1-0.6.1") ) flag++;
if ( rpm_check(release:"SUSE11.3", reference:"icedtea-web-javadoc-1.1-0.6.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icedtea-web");
}
{"hash": "e4ffe2f9ea44160d12d863daf35309fb49e5ee19606c3a4abc486de78a447f4f", "naslFamily": "SuSE Local Security Checks", "id": "SUSE_11_3_ICEDTEA-WEB-110721.NASL", "lastseen": "2017-10-29T13:34:12", "viewCount": 1, "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "1a6f71114b08c88acc5e08f5552d2082", "key": "cpe"}, {"hash": "fa652820ce7b209653c33ca07c8e0b1d", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "ecd5fc45296715ea6c4c15734b84b65d", "key": "description"}, {"hash": "0f8a258758a02071b6e7c0c85982c7ce", "key": "href"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "modified"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "c469b49eb9e4009bd91fa7f5f13c91b2", "key": "pluginID"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "published"}, {"hash": "517a85e900aacc23358d1e86ab16f531", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "2e8e84c91b8d6fedc67bed691465ea6f", "key": "sourceData"}, {"hash": "9bb35dc09393feef97880f3c0f3af337", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "bulletinFamily": "scanner", "cpe": ["p-cpe:/a:novell:opensuse:icedtea-web-javadoc", "p-cpe:/a:novell:opensuse:icedtea-web", "cpe:/o:novell:opensuse:11.3"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 2, "enchantments": {"vulnersScore": 5.0}, "type": "nessus", "description": "This update of icedtea/icedtea-web fixes two issues :\n\n - CVE-2011-2513: CVSS v2 Base Score: 4.3: An information leak allows unsigned Web Start applications to determine the path to the cache directory used to store downloaded class and jar files.\n\n - CVE-2011-2514: CVSS v2 Base Score: 5.1 An unsigned Web Start application could manipulate content of the security warning dialog message to show different file name in prompts.", "title": "openSUSE Security Update : icedtea-web (openSUSE-SU-2011:0829-1)", "history": [{"bulletin": {"hash": "f68c35473611442bb474a3ca35aabe05108377e17d121ce95c517c2ad21e3c59", "naslFamily": "SuSE Local Security Checks", "edition": 1, "lastseen": "2016-09-26T17:23:27", "enchantments": {}, "hashmap": [{"hash": "2e8e84c91b8d6fedc67bed691465ea6f", "key": "sourceData"}, {"hash": "ecd5fc45296715ea6c4c15734b84b65d", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "c469b49eb9e4009bd91fa7f5f13c91b2", "key": "pluginID"}, {"hash": "517a85e900aacc23358d1e86ab16f531", "key": "references"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "modified"}, {"hash": "02fcc0c238d215158fbaabb854c5b3df", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0f8a258758a02071b6e7c0c85982c7ce", "key": "href"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "fa652820ce7b209653c33ca07c8e0b1d", "key": "cvelist"}, {"hash": "9bb35dc09393feef97880f3c0f3af337", "key": "title"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "bulletinFamily": "scanner", "cpe": [], "history": [], "id": "SUSE_11_3_ICEDTEA-WEB-110721.NASL", "type": "nessus", "description": "This update of icedtea/icedtea-web fixes two issues :\n\n - CVE-2011-2513: CVSS v2 Base Score: 4.3: An information leak allows unsigned Web Start applications to determine the path to the cache directory used to store downloaded class and jar files.\n\n - CVE-2011-2514: CVSS v2 Base Score: 5.1 An unsigned Web Start application could manipulate content of the security warning dialog message to show different file name in prompts.", "viewCount": 0, "title": "openSUSE Security Update : icedtea-web (openSUSE-SU-2011:0829-1)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "objectVersion": "1.2", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update icedtea-web-4910.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75528);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2014/06/13 21:55:23 $\");\n\n script_cve_id(\"CVE-2011-2513\", \"CVE-2011-2514\");\n\n script_name(english:\"openSUSE Security Update : icedtea-web (openSUSE-SU-2011:0829-1)\");\n script_summary(english:\"Check for the icedtea-web-4910 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of icedtea/icedtea-web fixes two issues :\n\n - CVE-2011-2513: CVSS v2 Base Score: 4.3: An information\n leak allows unsigned Web Start applications to determine\n the path to the cache directory used to store downloaded\n class and jar files.\n\n - CVE-2011-2514: CVSS v2 Base Score: 5.1 An unsigned Web\n Start application could manipulate content of the\n security warning dialog message to show different file\n name in prompts.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2011-07/msg00032.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=704309\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected icedtea-web packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:icedtea-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:icedtea-web-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.3\", reference:\"icedtea-web-1.1-0.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"icedtea-web-javadoc-1.1-0.6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icedtea-web\");\n}\n", "published": "2014-06-13T00:00:00", "pluginID": "75528", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=704309", "http://lists.opensuse.org/opensuse-updates/2011-07/msg00032.html"], "reporter": "Tenable", "modified": "2014-06-13T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75528"}, "lastseen": "2016-09-26T17:23:27", "edition": 1, "differentElements": ["cpe"]}], "objectVersion": "1.3", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update icedtea-web-4910.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75528);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2014/06/13 21:55:23 $\");\n\n script_cve_id(\"CVE-2011-2513\", \"CVE-2011-2514\");\n\n script_name(english:\"openSUSE Security Update : icedtea-web (openSUSE-SU-2011:0829-1)\");\n script_summary(english:\"Check for the icedtea-web-4910 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of icedtea/icedtea-web fixes two issues :\n\n - CVE-2011-2513: CVSS v2 Base Score: 4.3: An information\n leak allows unsigned Web Start applications to determine\n the path to the cache directory used to store downloaded\n class and jar files.\n\n - CVE-2011-2514: CVSS v2 Base Score: 5.1 An unsigned Web\n Start application could manipulate content of the\n security warning dialog message to show different file\n name in prompts.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.opensuse.org/opensuse-updates/2011-07/msg00032.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=704309\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected icedtea-web packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:icedtea-web\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:icedtea-web-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/07/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.3\", reference:\"icedtea-web-1.1-0.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.3\", reference:\"icedtea-web-javadoc-1.1-0.6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"icedtea-web\");\n}\n", "published": "2014-06-13T00:00:00", "pluginID": "75528", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=704309", "http://lists.opensuse.org/opensuse-updates/2011-07/msg00032.html"], "reporter": "Tenable", "modified": "2014-06-13T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75528"}
{"result": {"cve": [{"id": "CVE-2011-2513", "type": "cve", "title": "CVE-2011-2513", "description": "The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to obtain the username and full path of the home and cache directories by accessing properties of the ClassLoader.", "published": "2014-05-13T20:55:04", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2513", "cvelist": ["CVE-2011-2513"], "lastseen": "2016-09-03T15:28:05"}, {"id": "CVE-2011-2514", "type": "cve", "title": "CVE-2011-2514", "description": "The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to trick victims into granting access to local files by modifying the content of the Java Web Start Security Warning dialog box to represent a different filename than the file for which access will be granted.", "published": "2014-05-13T20:55:04", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2514", "cvelist": ["CVE-2011-2514"], "lastseen": "2016-09-03T15:28:07"}], "nessus": [{"id": "FEDORA_2011-9523.NASL", "type": "nessus", "title": "Fedora 14 : java-1.6.0-openjdk-1.6.0.0-54.1.9.9.fc14 (2011-9523)", "description": "- PR744: icedtea6-1.10.2 : patching error\n\n - PR748: Icedtea6 fails to build with Linux 3.0.\n\n - RH718164, CVE-2011-2513: Home directory path disclosure to untrusted applications\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-08-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=55751", "cvelist": ["CVE-2011-2513"], "lastseen": "2018-07-13T05:40:49"}, {"id": "REDHAT-RHSA-2011-1100.NASL", "type": "nessus", "title": "RHEL 6 : icedtea-web (RHSA-2011:1100)", "description": "Updated icedtea-web packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project.\nIt also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations.\n\nA flaw was discovered in the JNLP (Java Network Launching Protocol) implementation in IcedTea-Web. An unsigned Java Web Start application could use this flaw to manipulate the content of a Security Warning dialog box, to trick a user into granting the application unintended access permissions to local files. (CVE-2011-2514)\n\nAn information disclosure flaw was discovered in the JNLP implementation in IcedTea-Web. An unsigned Java Web Start application or Java applet could use this flaw to determine the path to the cache directory used to store downloaded Java class and archive files, and therefore determine the user's login name. (CVE-2011-2513)\n\nAll icedtea-web users should upgrade to these updated packages, which contain backported patches to correct these issues.", "published": "2011-07-28T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=55710", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2017-10-29T13:35:07"}, {"id": "UBUNTU_USN-1178-1.NASL", "type": "nessus", "title": "Ubuntu 10.04 LTS / 10.10 / 11.04 : icedtea-web, openjdk-6, openjdk-6b18 vulnerabilities (USN-1178-1)", "description": "Omair Majid discovered that an unsigned Web Start application or applet could determine the path to the cache directory used to store downloaded class and jar files by querying class loader properties.\nThis could allow a remote attacker to discover a user's name and home directory path. (CVE-2011-2513)\n\nOmair Majid discovered that an unsigned Web Start application could manipulate the content of the security warning dialog message to show different file names in prompts. This could allow a remote attacker to confuse a user into granting access to a different file than they believe they are granting access to. This issue only affected Ubuntu 11.04. (CVE-2011-2514).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-07-28T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=55718", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2017-10-29T13:40:02"}, {"id": "SL_20110727_ICEDTEA_WEB_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : icedtea-web on SL6.x i386/x86_64", "description": "The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project.\nIt also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations.\n\nA flaw was discovered in the JNLP (Java Network Launching Protocol) implementation in IcedTea-Web. An unsigned Java Web Start application could use this flaw to manipulate the content of a Security Warning dialog box, to trick a user into granting the application unintended access permissions to local files. (CVE-2011-2514)\n\nAn information disclosure flaw was discovered in the JNLP implementation in IcedTea-Web. An unsigned Java Web Start application or Java applet could use this flaw to determine the path to the cache directory used to store downloaded Java class and archive files, and therefore determine the user's login name. (CVE-2011-2513)\n\nAll icedtea-web users should upgrade to these updated packages, which contain backported patches to correct these issues.", "published": "2012-08-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=61098", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2017-10-29T13:37:07"}, {"id": "FEDORA_2011-9541.NASL", "type": "nessus", "title": "Fedora 15 : icedtea-web-1.0.4-1.fc15 (2011-9541)", "description": "This security fix that addresses the following issues :\n\n - RH718164: Home directory path disclosure to untrusted applications\n\n - RH718170: Java Web Start security warning dialog manipulation\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2011-07-25T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=55663", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2017-10-29T13:34:43"}, {"id": "ORACLELINUX_ELSA-2011-1100.NASL", "type": "nessus", "title": "Oracle Linux 6 : icedtea-web (ELSA-2011-1100)", "description": "From Red Hat Security Advisory 2011:1100 :\n\nUpdated icedtea-web packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThe IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project.\nIt also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations.\n\nA flaw was discovered in the JNLP (Java Network Launching Protocol) implementation in IcedTea-Web. An unsigned Java Web Start application could use this flaw to manipulate the content of a Security Warning dialog box, to trick a user into granting the application unintended access permissions to local files. (CVE-2011-2514)\n\nAn information disclosure flaw was discovered in the JNLP implementation in IcedTea-Web. An unsigned Java Web Start application or Java applet could use this flaw to determine the path to the cache directory used to store downloaded Java class and archive files, and therefore determine the user's login name. (CVE-2011-2513)\n\nAll icedtea-web users should upgrade to these updated packages, which contain backported patches to correct these issues.", "published": "2013-07-12T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68314", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2017-10-29T13:39:10"}, {"id": "SUSE_11_4_ICEDTEA-WEB-110721.NASL", "type": "nessus", "title": "openSUSE Security Update : icedtea-web (openSUSE-SU-2011:0829-1)", "description": "This update of icedtea/icedtea-web fixes two issues :\n\n - CVE-2011-2513: CVSS v2 Base Score: 4.3: An information leak allows unsigned Web Start applications to determine the path to the cache directory used to store downloaded class and jar files.\n\n - CVE-2011-2514: CVSS v2 Base Score: 5.1 An unsigned Web Start application could manipulate content of the security warning dialog message to show different file name in prompts.", "published": "2014-06-13T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=75864", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2017-10-29T13:46:10"}], "openvas": [{"id": "OPENVAS:1361412562310122126", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2011-1100", "description": "Oracle Linux Local Security Checks ELSA-2011-1100", "published": "2015-10-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122126", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2017-07-24T12:52:54"}, {"id": "OPENVAS:1361412562310840712", "type": "openvas", "title": "Ubuntu Update for icedtea-web USN-1178-1", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1178-1", "published": "2011-08-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840712", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2018-04-30T14:12:57"}, {"id": "OPENVAS:1361412562310863375", "type": "openvas", "title": "Fedora Update for icedtea-web FEDORA-2011-9541", "description": "Check for the Version of icedtea-web", "published": "2011-07-27T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863375", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2018-04-09T11:37:53"}, {"id": "OPENVAS:870699", "type": "openvas", "title": "RedHat Update for icedtea-web RHSA-2011:1100-01", "description": "Check for the Version of icedtea-web", "published": "2012-06-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870699", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2018-01-11T11:06:12"}, {"id": "OPENVAS:840712", "type": "openvas", "title": "Ubuntu Update for icedtea-web USN-1178-1", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1178-1", "published": "2011-08-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=840712", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2017-12-04T11:26:52"}, {"id": "OPENVAS:863375", "type": "openvas", "title": "Fedora Update for icedtea-web FEDORA-2011-9541", "description": "Check for the Version of icedtea-web", "published": "2011-07-27T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=863375", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2017-07-25T10:55:51"}, {"id": "OPENVAS:1361412562310870699", "type": "openvas", "title": "RedHat Update for icedtea-web RHSA-2011:1100-01", "description": "Check for the Version of icedtea-web", "published": "2012-06-06T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870699", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2018-04-06T11:16:54"}, {"id": "OPENVAS:863397", "type": "openvas", "title": "Fedora Update for java-1.6.0-openjdk FEDORA-2011-9523", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2011-08-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=863397", "cvelist": ["CVE-2011-0865", "CVE-2011-0868", "CVE-2010-4448", "CVE-2010-4465", "CVE-2011-0869", "CVE-2010-4469", "CVE-2010-4450", "CVE-2011-2513", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2011-0870", "CVE-2011-0815", "CVE-2011-0867", "CVE-2011-0025", "CVE-2010-4470", "CVE-2011-0822", "CVE-2011-0864", "CVE-2011-0706", "CVE-2011-0862", "CVE-2011-0871", "CVE-2011-0872"], "lastseen": "2017-07-25T10:55:49"}, {"id": "OPENVAS:1361412562310863397", "type": "openvas", "title": "Fedora Update for java-1.6.0-openjdk FEDORA-2011-9523", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2011-08-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863397", "cvelist": ["CVE-2011-0865", "CVE-2011-0868", "CVE-2010-4448", "CVE-2010-4465", "CVE-2011-0869", "CVE-2010-4469", "CVE-2010-4450", "CVE-2011-2513", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2011-0870", "CVE-2011-0815", "CVE-2011-0867", "CVE-2011-0025", "CVE-2010-4470", "CVE-2011-0822", "CVE-2011-0864", "CVE-2011-0706", "CVE-2011-0862", "CVE-2011-0871", "CVE-2011-0872"], "lastseen": "2018-04-09T11:37:40"}, {"id": "OPENVAS:863588", "type": "openvas", "title": "Fedora Update for java-1.6.0-openjdk FEDORA-2011-14638", "description": "Check for the Version of java-1.6.0-openjdk", "published": "2011-10-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=863588", "cvelist": ["CVE-2011-0865", "CVE-2011-3557", "CVE-2011-3551", "CVE-2011-0868", "CVE-2010-4448", "CVE-2010-4465", "CVE-2011-0869", "CVE-2011-3548", "CVE-2011-3547", "CVE-2010-4469", "CVE-2011-3521", "CVE-2011-3389", "CVE-2010-4450", "CVE-2011-3544", "CVE-2011-2513", "CVE-2011-3558", "CVE-2010-4476", "CVE-2010-4472", "CVE-2010-4471", "CVE-2011-0870", "CVE-2011-0815", "CVE-2011-3554", "CVE-2011-0867", "CVE-2011-0025", "CVE-2011-3556", "CVE-2010-4470", "CVE-2011-0822", "CVE-2011-3560", "CVE-2011-0864", "CVE-2011-3552", "CVE-2011-0706", "CVE-2011-0862", "CVE-2011-0871", "CVE-2011-0872"], "lastseen": "2017-07-25T10:55:32"}], "ubuntu": [{"id": "USN-1178-1", "type": "ubuntu", "title": "IcedTea-Web, OpenJDK 6 vulnerabilities", "description": "Omair Majid discovered that an unsigned Web Start application or applet could determine the path to the cache directory used to store downloaded class and jar files by querying class loader properties. This could allow a remote attacker to discover a user\u2019s name and home directory path. (CVE-2011-2513)\n\nOmair Majid discovered that an unsigned Web Start application could manipulate the content of the security warning dialog message to show different file names in prompts. This could allow a remote attacker to confuse a user into granting access to a different file than they believe they are granting access to. This issue only affected Ubuntu 11.04. (CVE-2011-2514)", "published": "2011-07-27T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/1178-1/", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2018-03-29T18:20:08"}], "redhat": [{"id": "RHSA-2011:1100", "type": "redhat", "title": "(RHSA-2011:1100) Moderate: icedtea-web security update", "description": "The IcedTea-Web project provides a Java web browser plug-in and an\nimplementation of Java Web Start, which is based on the Netx project. It\nalso contains a configuration tool for managing deployment settings for the\nplug-in and Web Start implementations.\n\nA flaw was discovered in the JNLP (Java Network Launching Protocol)\nimplementation in IcedTea-Web. An unsigned Java Web Start application\ncould use this flaw to manipulate the content of a Security Warning\ndialog box, to trick a user into granting the application unintended access\npermissions to local files. (CVE-2011-2514)\n\nAn information disclosure flaw was discovered in the JNLP implementation in\nIcedTea-Web. An unsigned Java Web Start application or Java applet could\nuse this flaw to determine the path to the cache directory used to store\ndownloaded Java class and archive files, and therefore determine the user's\nlogin name. (CVE-2011-2513)\n\nAll icedtea-web users should upgrade to these updated packages, which\ncontain backported patches to correct these issues.\n", "published": "2011-07-27T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2011:1100", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2018-06-12T21:10:45"}], "oraclelinux": [{"id": "ELSA-2011-1100", "type": "oraclelinux", "title": "icedtea-web security update", "description": "[1.0.4-2]\n- Added patch to make plugin table size mismatch a warning instead of error\n[1.0.4-1]\n- Bump to 1.0.4\n- Resolves rhbz#718180", "published": "2011-07-27T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-1100.html", "cvelist": ["CVE-2011-2513", "CVE-2011-2514"], "lastseen": "2016-09-04T11:16:09"}]}}
