CVE-2019-10182

moderate-risk

Published 2019-07-31

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

Do I need to act?

~

1.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

8

CVSS 8.2/10 High

NETWORK / LOW complexity

Affected Products (7)

Icedtea-Web

Icedtea-Web

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Enterprise Linux Workstation

Affected Vendors

Redhat Icedtea-Web Project

References (14)

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html

http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directo...

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182

Patch https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327

Patch https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344

https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html

https://seclists.org/bugtraq/2019/Oct/5

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html

http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directo...

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182

Patch https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327

Patch https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344

https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html

https://seclists.org/bugtraq/2019/Oct/5

45

/ 100

moderate-risk

Severity 28/34 · Critical

Exploitability 3/34 · Minimal

Exposure 14/34 · Moderate