CVE-2013-1927

CWE-20 — Improper Input Validation11 documents9 sources

Severity

6.8MEDIUM

EPSS

2.2%

top 15.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Icedtea-web Canonical Ubuntu Linux Opensuse Opensuse

Timeline

PublishedApr 29

Latest updateMay 14

Description

The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote attackers to execute arbitrary code via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR."

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶Debianicedtea-web< 1.3.2-1+3

▶NVDredhat/icedtea-web1.2.2+19

▶NVDopensuse/opensuse12.2

Also affects: Ubuntu Linux 10.04, 11.10, 12.04, 12.10

🔴Vulnerability Details

GHSA

GHSA-h9w9-hgh2-mwrp: The IcedTea-Web plugin before 1↗2022-05-14

▶

GHSA

python-gnupg's shell_quote function does not properly quote strings↗2018-11-06

▶

GHSA

python-gnupg's shell_quote function does not properly escape characters↗2018-11-06

▶

OSV

CVE-2013-1927: The IcedTea-Web plugin before 1↗2013-04-29

▶

CVEList

CVE-2013-1927: The IcedTea-Web plugin before 1↗2013-04-29

▶

📋Vendor Advisories

Ubuntu

IcedTea-Web vulnerabilities↗2013-04-18

▶

Red Hat

icedtea-web: GIFAR issue↗2013-04-17

▶

Debian

CVE-2013-1927: icedtea-web - The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote attacke...↗2013

▶

💬Community

Bugzilla

CVE-2013-7323 CVE-2014-1927 CVE-2014-1928 CVE-2014-1929 python-gnupg: incorrect fix against shell injection↗2014-02-05

▶

Bugzilla

CVE-2013-1927 icedtea-web: GIFAR issue↗2012-12-06

▶