CVE-2019-10182

CWE-22 — Path Traversal CWE-94 — Code Injection8 documents7 sources

Severity

6.5MEDIUM

EPSS

1.4%

top 19.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icedtea-web Project Icedtea-web Icedtea Icedtea-web Redhat Enterprise Linux Desktop +4 more

Timeline

PublishedJul 31

Latest updateMay 24

Description

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:LExploitability: 2.8 | Impact: 4.7

Affected Packages6 packages

▶Debianicedtea-web< 1.8.3-1+3

▶NVDicedtea-web_project/icedtea-web1.7.2+1

▶CVEListV5icedtea/icedtea-webaffects up to and including 1.7.2 and 1.8.2

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

Also affects: Enterprise Linux 7.6

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-cqfc-r7qj-5fgq: It was found that icedtea-web though 1↗2022-05-24

▶

CVEList

CVE-2019-10182: It was found that icedtea-web though 1↗2019-07-31

▶

OSV

CVE-2019-10182: It was found that icedtea-web though 1↗2019-07-31

▶

📋Vendor Advisories

Red Hat

icedtea-web: path traversal while processing <jar/> elements of JNLP files results in arbitrary file overwrite↗2019-07-31

▶

Debian

CVE-2019-10182: icedtea-web - It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize p...↗2019

▶

💬Community

Bugzilla

CVE-2019-10182 icedtea-web: path traversal while processing <jar/> elements of JNLP files results in arbitrary file overwrite [fedora-all]↗2019-07-31

▶

Bugzilla

CVE-2019-10182 icedtea-web: path traversal while processing <jar/> elements of JNLP files results in arbitrary file overwrite↗2019-06-28

▶