CVE-2019-10181
CVE-2019-10181
In short
A flaw in icedtea-web allows attackers to inject malicious code into JAR files while keeping the digital signature valid. This means users could run untrusted code thinking they are running a legitimate, trusted application.
Technical detail
CWE-345 (Insufficient Verification of Data Authenticity) affects icedtea-web versions up to 1.7.2 and 1.8.2, enabling code injection into signed JAR files without invalidating the signature. The attack vector is local/network delivery of a crafted JAR; the injected code executes within the Java sandbox, limiting but not eliminating the security impact.
Summary generated and translated by AI from the official description.
It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Affected products
IcedTea · icedtea-webWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.htmlhttp://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10181https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344https://lists.debian.org/debian-lts-announce/2019/09/msg00008.htmlhttps://seclists.org/bugtraq/2019/Oct/5https://security.gentoo.org/glsa/202107-51