CVE-2015-5234 — Improper Input Validation in Redhat Icedtea

CWE-20 — Improper Input Validation CWE-138 — Improper Neutralization of Special Elements10 documents8 sources

Severity

6.8MEDIUMNVD

EPSS

0.9%

top 24.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Icedtea Fedoraproject Fedora Opensuse +4 more

Timeline

PublishedOct 9

Latest updateMay 14

Description

IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages6 packages

▶NVDredhat/icedtea1.5.2+1

▶NVDopensuse/opensuse13.1, 13.2+1

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

▶NVDredhat/enterprise_linux_hpc_node6.0

Also affects: Fedora 21, 22

Patches

Patch: mail.openjdk.java.net ↗Patch: mail.openjdk.java.net ↗

🔴Vulnerability Details

GHSA

GHSA-vjh2-cm2h-354g: IcedTea-Web before 1↗2022-05-14

▶

OSV

icedtea-web vulnerabilities↗2015-11-24

▶

OSV

CVE-2015-5234: IcedTea-Web before 1↗2015-10-09

▶

CVEList

CVE-2015-5234: IcedTea-Web before 1↗2015-10-09

▶

📋Vendor Advisories

Ubuntu

IcedTea Web vulnerabilities↗2015-11-24

▶

Red Hat

icedtea-web: unexpected permanent authorization of unsigned applets↗2015-09-02

▶

Debian

CVE-2015-5234: icedtea-web - IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize apple...↗2015

▶

💬Community

Bugzilla

CVE-2015-5235 CVE-2015-5234 icedtea-web: various flaws [fedora-all]↗2015-09-02

▶

Bugzilla

CVE-2015-5234 icedtea-web: unexpected permanent authorization of unsigned applets↗2015-06-19

▶