CVE-2019-10185

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

References

Affected packages

Debian:11 / icedtea-web

Package

Name: icedtea-web
Purl: pkg:deb/debian/icedtea-web?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / icedtea-web

Package

Name: icedtea-web
Purl: pkg:deb/debian/icedtea-web?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / icedtea-web

Package

Name: icedtea-web
Purl: pkg:deb/debian/icedtea-web?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/adoptopenjdk/icedtea-web

Affected ranges

Type: GIT
Repo: https://github.com/adoptopenjdk/icedtea-web
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

6f71f3b56240cfac7f024b582b5f4565906ef38e

Last affected

9dafc9fb6d388d86862733cf3a008b29fd2204f6

Affected versions

icedtea-web-1.*

icedtea-web-1.0-branchpoint

icedtea-web-1.1-branchpoint

icedtea-web-1.2-branchpoint

icedtea-web-1.4-branchpoint

icedtea-web-1.5-branchpoint

icedtea-web-1.6-branchpoint

icedtea-web-1.7

icedtea-web-1.7-branchpoint

icedtea-web-1.7.1

icedtea-web-1.7.2

icedtea-web-1.8-branchpoint

icedtea-web-1.8.1

icedtea-web-1.8.1pre

icedtea-web-1.8.2