Описание
It was discovered that the IcedTea-Web used codebase attribute of the tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value.
A flaw was discovered that IcedTea-Web did not properly determine an applet's origin when performing same-origin checks. A malicious page could use this flaw to bypass the Same Origin Policy (SOP) and access data on unrelated sites using a spoofed value for the applet's codebase attribute.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | icedtea-web | Will not fix | ||
| Red Hat Enterprise Linux 7 | icedtea-web | Will not fix |
Показывать по
Дополнительная информация
Статус:
5.8 Medium
CVSS2
Связанные уязвимости
It was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value.
It was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value.
It was discovered that the IcedTea-Web used codebase attribute of the ...
It was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value.
5.8 Medium
CVSS2