Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-10182

Опубликовано: 31 июл. 2019
Источник: redhat
CVSS3: 8.2

Описание

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

It was found that icedtea-web did not properly sanitize paths from elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

Меры по смягчению последствий

No known mitigation.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6icedtea-webOut of support scope
Red Hat Enterprise Linux 7icedtea-webFixedRHSA-2019:200331.07.2019
Red Hat Enterprise Linux 8icedtea-webFixedRHSA-2019:200431.07.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-22->CWE-94
https://bugzilla.redhat.com/show_bug.cgi?id=1724958icedtea-web: path traversal while processing <jar/> elements of JNLP files results in arbitrary file overwrite

8.2 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-10182

CVSS3: 8.2
ubuntu
больше 6 лет назад

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

nvd логотип

CVE-2019-10182

CVSS3: 8.2
nvd
больше 6 лет назад

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

debian логотип

CVE-2019-10182

CVSS3: 8.2
debian
больше 6 лет назад

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly ...

github логотип

GHSA-cqfc-r7qj-5fgq

CVSS3: 6.5
github
больше 3 лет назад

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

fstec логотип

BDU:2019-02869

CVSS3: 8.2
fstec
больше 6 лет назад

Уязвимость плагина IcedTea-Web, связанная с ошибками при обработке JNLP файлов, позволяющая нарушителю записать произвольные файлы в файловую систему устройства

8.2 High

CVSS3