CVE-2015-5235

CWE-20 — Improper Input Validation CWE-34510 documents8 sources

Severity

4.3MEDIUM

EPSS

0.9%

top 23.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Icedtea Fedoraproject Fedora Opensuse Opensuse +4 more

Timeline

PublishedOct 9

Latest updateMay 14

Description

IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages8 packages

▶Debianicedtea-web< 1.6.1-1+3

▶Ubuntuicedtea-web< 1.5.3-0ubuntu0.14.04.1

▶NVDredhat/icedtea1.5.2+1

▶NVDopensuse/opensuse13.1, 13.2+1

▶NVDredhat/enterprise_linux_server6.0

Also affects: Fedora 21, 22

Patches

Patch: mail.openjdk.java.net ↗Patch: mail.openjdk.java.net ↗

🔴Vulnerability Details

GHSA

GHSA-c7wx-r8q7-fmcf: IcedTea-Web before 1↗2022-05-14

▶

OSV

icedtea-web vulnerabilities↗2015-11-24

▶

CVEList

CVE-2015-5235: IcedTea-Web before 1↗2015-10-09

▶

OSV

CVE-2015-5235: IcedTea-Web before 1↗2015-10-09

▶

📋Vendor Advisories

Ubuntu

IcedTea Web vulnerabilities↗2015-11-24

▶

Red Hat

icedtea-web: applet origin spoofing↗2015-09-02

▶

Debian

CVE-2015-5235: icedtea-web - IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the ...↗2015

▶

💬Community

Bugzilla

CVE-2015-5235 CVE-2015-5234 icedtea-web: various flaws [fedora-all]↗2015-09-02

▶

Bugzilla

CVE-2015-5235 icedtea-web: applet origin spoofing↗2015-06-19

▶