CVE-2019-10181 — Insufficient Verification of Data Authenticity in Project Icedtea-web

CWE-345 — Insufficient Verification of Data Authenticity9 documents7 sources

Severity

8.1HIGHNVD

EPSS

0.4%

top 39.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icedtea-web Project Icedtea-web Icedtea Icedtea-web Debian Linux +1 more

Timeline

PublishedJul 31

Latest updateMay 24

Description

It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDicedtea-web_project/icedtea-web1.7.2+1

▶CVEListV5icedtea/icedtea-webaffects up to and including 1.7.2 and 1.8.2

▶NVDopensuse/leap15.0

Also affects: Debian Linux 8.0

Patches

Patch: github.com ↗Patch: security.gentoo.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-xv8g-hcfj-ppcw: It was found that in icedtea-web up to and including 1↗2022-05-24

▶

CVEList

CVE-2019-10181: It was found that in icedtea-web up to and including 1↗2019-07-31

▶

OSV

CVE-2019-10181: It was found that in icedtea-web up to and including 1↗2019-07-31

▶

📋Vendor Advisories

Red Hat

icedtea-web: unsigned code injection in a signed JAR file↗2019-07-31

▶

Debian

CVE-2019-10181: icedtea-web - It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable ...↗2019

▶

💬Community

Bugzilla

CVE-2019-10181 icedtea-web: unsigned code injection in a signed JAR file [fedora-all]↗2019-07-31

▶

Bugzilla

CVE-2019-10181 icedtea-web: unsigned code injection in a signed JAR file↗2019-07-01

▶

Bugzilla

CVE-2019-10185 icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite↗2019-06-28

▶