Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2019-10182

Опубликовано: 31 июл. 2019
Источник: debian

Описание

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
icedtea-webfixed1.8.3-1package
icedtea-webno-dsabusterpackage
icedtea-webno-dsastretchpackage

Примечания

  • https://www.openwall.com/lists/oss-security/2019/07/31/2

  • https://github.com/AdoptOpenJDK/IcedTea-Web/commit/f9c2cf7fd24415ba2bb2619b69259035338ee5b6 (1.7)

  • https://github.com/AdoptOpenJDK/IcedTea-Web/commit/7958049eedc213be1ad4ae80ee312b167ddb320f (1.8)

Связанные уязвимости

ubuntu логотип

CVE-2019-10182

CVSS3: 8.2
ubuntu
больше 6 лет назад

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

redhat логотип

CVE-2019-10182

CVSS3: 8.2
redhat
больше 6 лет назад

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

nvd логотип

CVE-2019-10182

CVSS3: 8.2
nvd
больше 6 лет назад

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

github логотип

GHSA-cqfc-r7qj-5fgq

CVSS3: 6.5
github
больше 3 лет назад

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

fstec логотип

BDU:2019-02869

CVSS3: 8.2
fstec
больше 6 лет назад

Уязвимость плагина IcedTea-Web, связанная с ошибками при обработке JNLP файлов, позволяющая нарушителю записать произвольные файлы в файловую систему устройства