CVE-2019-10185

CWE-22 — Path Traversal8 documents7 sources

Severity

8.6HIGH

EPSS

1.9%

top 16.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Icedtea-web Project Icedtea-web Icedtea Icedtea-web Debian Debian Linux +1 more

Timeline

PublishedJul 31

Latest updateMay 24

Description

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages4 packages

▶Debianicedtea-web< 1.8.3-1+3

▶NVDicedtea-web_project/icedtea-web1.7.2+1

▶CVEListV5icedtea/icedtea-webaffects up to and including 1.7.2 and 1.8.2

▶NVDopensuse/leap15.0

Also affects: Debian Linux 8.0

Patches

Patch: github.com ↗Patch: security.gentoo.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-3q3x-68j9-f9vv: It was found that icedtea-web up to and including 1↗2022-05-24

▶

OSV

CVE-2019-10185: It was found that icedtea-web up to and including 1↗2019-07-31

▶

CVEList

CVE-2019-10185: It was found that icedtea-web up to and including 1↗2019-07-31

▶

📋Vendor Advisories

Red Hat

icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite↗2019-07-31

▶

Debian

CVE-2019-10185: icedtea-web - It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable...↗2019

▶

💬Community

Bugzilla

CVE-2019-10185 icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite [fedora-all]↗2019-07-31

▶

Bugzilla

CVE-2019-10185 icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite↗2019-06-28

▶