PT-2015-6809 · Oracle+4 · Icedtea-Web+4

Andrea Palazzo

Published

2015-09-15

Updated

2018-10-30

CVE-2015-5234

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions IcedTea-Web versions prior to 1.5.3 IcedTea-Web versions 1.6.x prior to 1.6.1

Description The issue allows remote attackers to inject applets into the .appletTrustSettings configuration file, bypassing user approval to execute the applet via a crafted web page. This is possibly related to line breaks in applet URLs, which are not properly sanitized.

Recommendations For IcedTea-Web versions prior to 1.5.3, update to version 1.5.3 or later. For IcedTea-Web versions 1.6.x prior to 1.6.1, update to version 1.6.1 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CESA-2016_0778

CVE-2015-5234

MGASA-2015-0376

OPENSUSE-SU-2015_1595-1

OPENSUSE-SU-2024:10316-1

RHSA-2016:0778

RHSA-2016_0778

SUSE-SU-2015:1682-1

SUSE-SU-2015:1689-1

SUSE-SU-2015_1682-1

SUSE-SU-2015_1689-1

USN-2817-1

Affected Products

Centos

Icedtea-Web

Red Hat

Suse

Ubuntu

PT-2015-6809 · Oracle+4 · Icedtea-Web+4

CVE-2015-5234

Weakness Enumeration

Related Identifiers

Affected Products

References · 51