CVE-2019-10181

{"id": "CVE-2019-10181", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2019-07-31T23:15:10.777", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://seclists.org/bugtraq/2019/Oct/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://security.gentoo.org/glsa/202107-51", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://seclists.org/bugtraq/2019/Oct/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202107-51", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-345"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox."}, {"lang": "es", "value": "Se descubri\u00f3 icedtea-web hasta 1.7.2 y 1.8.2 inclusive con c\u00f3digo ejecutable podr\u00eda ser inyectado en un archivo JAR sin comprometer la verificaci\u00f3n de la firma. Un atacante podr\u00eda usar este defecto para inyectar un c\u00f3digo en un archivo JAR seguro. El c\u00f3digo podr\u00eda ser ejecutado dentro de sandbox"}], "lastModified": "2024-11-21T04:18:35.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:icedtea-web_project:icedtea-web:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32F81AF6-462E-46F2-BECE-9400353385DD", "versionEndIncluding": "1.7.2"}, {"criteria": "cpe:2.3:a:icedtea-web_project:icedtea-web:1.8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89D3F8CA-CE6A-41C3-AF15-ADA178DBF351"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}