CVE-2011-3377

CWE-2648 documents8 sources

Severity

4.3MEDIUM

EPSS

1.0%

top 23.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Ubuntu Linux Opensuse Opensuse Redhat Icedtea-web

Timeline

PublishedFeb 5

Latest updateMay 14

Description

The web browser plug-in in IcedTea-Web 1.0.x before 1.0.6 and 1.1.x before 1.1.4 allows remote attackers to bypass the Same Origin Policy (SOP) and execute arbitrary script or establish network connections to unintended hosts via an applet whose origin has the same second-level domain, but a different sub-domain than the targeted domain.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶Debianicedtea-web< 1.1.4-1+3

▶NVDredhat/icedtea-web10 versions+9

▶NVDopensuse/opensuse12.1

Also affects: Ubuntu Linux 10.04, 10.10, 11.04, 11.10

Patches

Patch: dbhole.wordpress.com ↗Patch: dbhole.wordpress.com ↗

🔴Vulnerability Details

GHSA

GHSA-cqp6-h2hr-w9xj: The web browser plug-in in IcedTea-Web 1↗2022-05-14

▶

OSV

CVE-2011-3377: The web browser plug-in in IcedTea-Web 1↗2014-02-05

▶

CVEList

CVE-2011-3377: The web browser plug-in in IcedTea-Web 1↗2014-02-05

▶

📋Vendor Advisories

Ubuntu

IcedTea-Web, OpenJDK 6 vulnerabilities↗2011-11-16

▶

Red Hat

IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass↗2011-11-08

▶

Debian

CVE-2011-3377: icedtea-web - The web browser plug-in in IcedTea-Web 1.0.x before 1.0.6 and 1.1.x before 1.1.4...↗2011

▶

💬Community

Bugzilla

CVE-2011-3377 IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass↗2011-09-30

▶