PT-2019-2938 · Icedtea+4 · Icedtea-Web+4

Imre Rad

Publicado

2019-07-31

Atualizado

2025-05-22

CVE-2019-10181

CVSS v3.1

8.1

Alta

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions icedtea-web versions 1.7.2 and earlier icedtea-web versions 1.8.2 and earlier

Description The issue is related to insufficient authentication of data, allowing an attacker to inject executable code into a JAR file without compromising signature verification. This flaw can be exploited by a remote attacker to inject arbitrary code into a trusted JAR, which would be executed inside the sandbox.

Recommendations For icedtea-web versions 1.7.2 and earlier, update to a version later than 1.7.2 to resolve the issue. For icedtea-web versions 1.8.2 and earlier, update to a version later than 1.8.2 to resolve the issue. As a temporary workaround, consider restricting the execution of code inside the sandbox to minimize the risk of exploitation.

Correção

Insufficient Verification of Data Authenticity

Race Condition

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-345CWE-362

Identificadores relacionados

ALT-PU-2025-6401

BDU:2019-02913

BDU:2020-01807

CESA-2019_2003

CESA-2019_2004

CVE-2019-10181

DLA-1914-1

MGASA-2019-0242

OPENSUSE-SU-2019:1911-1

OPENSUSE-SU-2019_1911-1

OPENSUSE-SU-2022_1259-1

OPENSUSE-SU-2024:10855-1

RHSA-2019:2003

RHSA-2019:2004

RHSA-2019_2003

RHSA-2019_2004

SUSE-SU-2019:2033-1

SUSE-SU-2019_2033-1

SUSE-SU-2022:1259-1

SUSE-SU-2022_1259-1

Produtos afetados

Alt Linux

Centos

Red Hat

Suse

Icedtea-Web

PT-2019-2938 · Icedtea+4 · Icedtea-Web+4

CVE-2019-10181

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 53