CVE-2015-5234

EUVD-2015-5230
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Affected Products (NVD)
VendorProductVersion
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_hpc_node
6.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_workstation
6.0
opensuseopensuse
13.1
opensuseopensuse
13.2
redhaticedtea
𝑥
≤ 1.5.2
redhaticedtea
1.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icedtea-web
bookworm
1.8.8-2
fixed
bullseye
1.8.4-1
fixed
sid
1.8.8-3
fixed
trixie
1.8.8-3
fixed
wheezy
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icedtea-web
precise
not-affected
trusty
Fixed 1.5.3-0ubuntu0.14.04.1
released
vivid
Fixed 1.5.3-0ubuntu0.15.04.1
released
wily
Fixed 1.5.3-0ubuntu0.15.10.1
released
Common Weakness Enumeration
References
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html
http://rhn.redhat.com/errata/RHSA-2016-0778.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.securitytracker.com/id/1033780
http://www.ubuntu.com/usn/USN-2817-1
https://bugzilla.redhat.com/show_bug.cgi?id=1233667
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html
http://rhn.redhat.com/errata/RHSA-2016-0778.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.securitytracker.com/id/1033780
http://www.ubuntu.com/usn/USN-2817-1
https://bugzilla.redhat.com/show_bug.cgi?id=1233667