Vulnerability Details CVE-2019-10182
It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.011
EPSS Ranking 77.0%
CVSS Severity
CVSS v3 Score 8.2
CVSS v2 Score 5.8
References
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
- http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182
- https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
- https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
- https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html
- https://seclists.org/bugtraq/2019/Oct/5
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
- http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182
- https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
- https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
- https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html
- https://seclists.org/bugtraq/2019/Oct/5
Products affected by CVE-2019-10182
-
cpe:2.3:a:icedtea-web_project:icedtea-web:-
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.0
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.1
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.2
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.4
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.5
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.6
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.7
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.7.1
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.7.2
-
cpe:2.3:a:icedtea-web_project:icedtea-web:1.8.2
-
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6
-
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6
-
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0