CVE-2019-10185

Sažetak

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

Reference

https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html
https://seclists.org/bugtraq/2019/Oct/5
http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html
https://security.gentoo.org/glsa/202107-51

CVSS

Base:	6.4
Impact:	4.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:P/A:P

Zadnje važnije ažuriranje

12-02-2023 - 23:33

Objavljeno

31-07-2019 - 23:15