CVE-2019-10185

Name of the Vulnerable Software and Affected Versions icedtea-web versions 1.7.2 and earlier icedtea-web versions 1.8.2 and earlier

Description The issue is related to a zip-slip attack during auto-extraction of a JAR file, which could allow an attacker to write files to arbitrary locations. This could potentially be used to replace the main running application and possibly break out of the sandbox. The vulnerability is also associated with incorrect restriction of the directory path name with limited access, allowing a remote attacker to write arbitrary files to the device's file system using a specially crafted file in formats such as .tar, .jar, .war, .cpio, .apk, .rar, or .7z.

Recommendations For icedtea-web versions 1.7.2 and earlier, update to a version later than 1.7.2 to resolve the issue. For icedtea-web versions 1.8.2 and earlier, update to a version later than 1.8.2 to resolve the issue. As a temporary workaround, consider disabling the auto-extraction of JAR files until a patch is available. Restrict access to the directory with limited access to minimize the risk of exploitation.