CVE-2011-0025

CWE-20Improper Input ValidationCWE-3477 documents7 sources
Severity
6.8MEDIUM
EPSS
1.5%
top 18.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Icedtea
Timeline
PublishedFeb 4
Latest updateMay 3

Description

IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are "partially signed" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

NVDredhat/icedtea18 versions+17

Patches

Patch: blog.fuseyism.comPatch: blog.fuseyism.com

🔴Vulnerability Details

2
GHSA
GHSA-253g-w96v-v3cj: IcedTea 12022-05-03
CVEList
CVE-2011-0025: IcedTea 12011-02-04

💥Exploits & PoCs

1
Exploit-DB
IrfanView FlashPix PlugIn - Double-Free2011-12-20

📋Vendor Advisories

2
Ubuntu
OpenJDK vulnerabilities2011-02-01
Red Hat
IcedTea jarfile signature verification bypass2011-02-01

💬Community

1
Bugzilla
CVE-2011-0025 IcedTea jarfile signature verification bypass2011-01-24
CVE-2011-0025 (MEDIUM CVSS 6.8) | IcedTea 1.7 before 1.7.8 | cvebase.io