CVE-2019-10181

It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
Affected Products (NVD)
VendorProductVersion
icedtea-web_projecticedtea-web
𝑥
≤ 1.7.2
icedtea-web_projecticedtea-web
1.8.2
debiandebian_linux
8.0
opensuseleap
15.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icedtea-web
bookworm
1.8.8-2
fixed
bullseye
1.8.4-1
fixed
buster
no-dsa
sid
1.8.8-3
fixed
stretch
no-dsa
trixie
1.8.8-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icedtea-web
bionic
needed
disco
ignored
eoan
ignored
focal
needed
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needed
trusty
dne
xenial
needed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
icedtea-web
RHEL 7
0:1.7.1-2.el7_6
fixed
RHEL 8
0:1.7.1-17.el8_0
fixed
RHEL 8.0 E4S
0:1.7.1-17.el8_0
fixed
icedtea-web-devel
RHEL 7
0:1.7.1-2.el7_6
fixed
icedtea-web-javadoc
RHEL 7
0:1.7.1-2.el7_6
fixed
RHEL 8
0:1.7.1-17.el8_0
fixed
RHEL 8.0 E4S
0:1.7.1-17.el8_0
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181
https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html
https://seclists.org/bugtraq/2019/Oct/5
https://security.gentoo.org/glsa/202107-51
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181
https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html
https://seclists.org/bugtraq/2019/Oct/5
https://security.gentoo.org/glsa/202107-51