Home

CVE-2019-10185

Description

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

Risk Information

Base Score
8.6
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
EPSS Score
Exploitation Probability
1.563

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-10181,CVE-2019-10182,CVE-2019-10185 are affected in IcedTea-Web 1.7.2Windows
Vulnerabilities CVE-2019-10181,CVE-2019-10182,CVE-2019-10185 are affected in IcedTea-Web 1.8.2Windows
(RHSA-2019:2003) icedtea-web security update icedtea-web-1.7.1-2.el7_6.x86_64.rpmLinux
(RHSA-2019:2003) icedtea-web security update icedtea-web-devel-1.7.1-2.el7_6.noarch.rpmLinux
(RHSA-2019:2003) icedtea-web security update icedtea-web-javadoc-1.7.1-2.el7_6.noarch.rpmLinux
(RHSA-2019:2004) icedtea-web security update icedtea-web-1.7.1-17.el8_0.noarch.rpmLinux
(RHSA-2019:2004) icedtea-web security update icedtea-web-javadoc-1.7.1-17.el8_0.noarch.rpmLinux
Icedtea-web update (ELSA-2019-2004) icedtea-web-1.7.1-17.el8_0.noarch.rpmLinux
Icedtea-web-javadoc update (ELSA-2019-2004) icedtea-web-javadoc-1.7.1-17.el8_0.noarch.rpmLinux
(CESA-2019:2004) icedtea-web security update icedtea-web-1.7.1-17.el8_0.noarch.rpmLinux
(CESA-2019:2004) icedtea-web security update icedtea-web-javadoc-1.7.1-17.el8_0.noarch.rpmLinux
(CESA-2019:2003) icedtea-web security update icedtea-web-1.7.1-2.el7_6.x86_64.rpmLinux
(RHSA-2019:2003)Important: security update icedtea-web-debuginfo-1.7.1-2.el7_6.x86_64.rpmLinux
Icedtea-web update (ELSA-2019-2003) icedtea-web-1.7.1-2.el7_6.x86_64.rpmLinux

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-322218IcedTea-Web (1.8.8)
PATCH-322218IcedTea-Web (1.8.8)

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234