CVE-2019-10182

It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.

References

Affected packages

Debian:11 / icedtea-web

Package

Name: icedtea-web
Purl: pkg:deb/debian/icedtea-web?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / icedtea-web

Package

Name: icedtea-web
Purl: pkg:deb/debian/icedtea-web?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / icedtea-web

Package

Name: icedtea-web
Purl: pkg:deb/debian/icedtea-web?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/adoptopenjdk/icedtea-web

Affected ranges

Type: GIT
Repo: https://github.com/adoptopenjdk/icedtea-web
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

6f71f3b56240cfac7f024b582b5f4565906ef38e

Last affected

9dafc9fb6d388d86862733cf3a008b29fd2204f6

Affected versions

icedtea-web-1.*

icedtea-web-1.0-branchpoint

icedtea-web-1.1-branchpoint

icedtea-web-1.2-branchpoint

icedtea-web-1.4-branchpoint

icedtea-web-1.5-branchpoint

icedtea-web-1.6-branchpoint

icedtea-web-1.7

icedtea-web-1.7-branchpoint

icedtea-web-1.7.1

icedtea-web-1.7.2

icedtea-web-1.8-branchpoint

icedtea-web-1.8.1

icedtea-web-1.8.1pre

icedtea-web-1.8.2