CVE-2019-10181

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions icedtea-web versions 1.7.2 and earlier icedtea-web versions 1.8.2 and earlier

Description The issue is related to insufficient authentication of data, allowing an attacker to inject executable code into a JAR file without compromising signature verification. This flaw can be exploited by a remote attacker to inject arbitrary code into a trusted JAR, which would be executed inside the sandbox.

Recommendations For icedtea-web versions 1.7.2 and earlier, update to a version later than 1.7.2 to resolve the issue. For icedtea-web versions 1.8.2 and earlier, update to a version later than 1.8.2 to resolve the issue. As a temporary workaround, consider restricting the execution of code inside the sandbox to minimize the risk of exploitation.

Fix

Insufficient Verification of Data Authenticity

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-362

Related Identifiers

ALT-PU-2025-6401

BDU:2019-02913

BDU:2020-01807

CESA-2019_2003

CESA-2019_2004

CVE-2019-10181

DLA-1914-1

MGASA-2019-0242

OPENSUSE-SU-2019:1911-1

OPENSUSE-SU-2019_1911-1

OPENSUSE-SU-2022_1259-1

OPENSUSE-SU-2024:10855-1

RHSA-2019:2003

RHSA-2019:2004

RHSA-2019_2003

RHSA-2019_2004

SUSE-SU-2019:2033-1

SUSE-SU-2019_2033-1

SUSE-SU-2022:1259-1

SUSE-SU-2022_1259-1

Affected Products

Alt Linux

Centos

Red Hat

Suse

Icedtea-Web

CVE-2019-10181

Weakness Enumeration

Related Identifiers

Affected Products

References · 53