Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-5234 (GCVE-0-2015-5234)
Vulnerability from cvelistv5
Published
2015-10-09 14:00
Modified
2024-08-06 06:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:08.613Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "USN-2817-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-2817-1"
},
{
"name": "openSUSE-SU-2015:1595",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"name": "FEDORA-2015-15676",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"
},
{
"name": "1033780",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1033780"
},
{
"name": "[distro-pkg-dev] 20150911 IcedTea-Web 1.6.1 and 1.5.3 released",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"
},
{
"name": "RHSA-2016:0778",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"
},
{
"name": "FEDORA-2015-15677",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-06T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "USN-2817-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-2817-1"
},
{
"name": "openSUSE-SU-2015:1595",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"name": "FEDORA-2015-15676",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"
},
{
"name": "1033780",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1033780"
},
{
"name": "[distro-pkg-dev] 20150911 IcedTea-Web 1.6.1 and 1.5.3 released",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"
},
{
"name": "RHSA-2016:0778",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"
},
{
"name": "FEDORA-2015-15677",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5234",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-2817-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2817-1"
},
{
"name": "openSUSE-SU-2015:1595",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"name": "FEDORA-2015-15676",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"
},
{
"name": "1033780",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1033780"
},
{
"name": "[distro-pkg-dev] 20150911 IcedTea-Web 1.6.1 and 1.5.3 released",
"refsource": "MLIST",
"url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"
},
{
"name": "RHSA-2016:0778",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"
},
{
"name": "FEDORA-2015-15677",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5234",
"datePublished": "2015-10-09T14:00:00",
"dateReserved": "2015-07-01T00:00:00",
"dateUpdated": "2024-08-06T06:41:08.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2015-5234\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-10-09T14:59:01.843\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.\"},{\"lang\":\"es\",\"value\":\"IcedTea-Web en versiones anteriores a 1.5.3 y 1.6.x anterior a 1.6.1 no limpia correctamente URLs de applet, lo que permite a atacantes remotos inyectar applets en el archivo de configuraci\u00f3n .appletTrustSettings y eludir la aprobaci\u00f3n del usuario para ejecutar la applet a trav\u00e9s de una p\u00e1gina web manipulada, probablemente relacionada con el salto de l\u00ednea.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2FAC325-6EEB-466D-9EBA-8ED4DBC9CFBF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BBCD86A-E6C7-4444-9D74-F861084090F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E5ED5807-55B7-47C5-97A6-03233F4FBC3A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A10BC294-9196-425F-9FB0-B1625465B47F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"03117DF1-3BEC-4B8D-AD63-DBBDB2126081\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:icedtea:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.5.2\",\"matchCriteriaId\":\"BDB43F31-4C43-4E80-8B2A-66A8502FCA11\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:icedtea:1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"28570EF8-C777-4AA9-BD96-ADA1D4B09B91\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56BDB5A0-0839-4A20-A003-B8CD56F48171\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"253C303A-E577-4488-93E6-68A8DD942C38\"}]}]}],\"references\":[{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0778.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securitytracker.com/id/1033780\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2817-1\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1233667\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0778.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1033780\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/USN-2817-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1233667\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]}]}}"
}
}
ghsa-vjh2-cm2h-354g
Vulnerability from github
Published
2022-05-14 02:07
Modified
2022-05-14 02:07
VLAI Severity ?
Details
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.
{
"affected": [],
"aliases": [
"CVE-2015-5234"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-10-09T14:59:00Z",
"severity": "MODERATE"
},
"details": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.",
"id": "GHSA-vjh2-cm2h-354g",
"modified": "2022-05-14T02:07:39Z",
"published": "2022-05-14T02:07:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5234"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"
},
{
"type": "WEB",
"url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1033780"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2817-1"
}
],
"schema_version": "1.4.0",
"severity": []
}
fkie_cve-2015-5234
Vulnerability from fkie_nvd
Published
2015-10-09 14:59
Modified
2025-04-12 10:46
Severity ?
Summary
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html | Third Party Advisory | |
| secalert@redhat.com | http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html | Third Party Advisory | |
| secalert@redhat.com | http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html | Third Party Advisory | |
| secalert@redhat.com | http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html | Patch | |
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2016-0778.html | Third Party Advisory | |
| secalert@redhat.com | http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html | ||
| secalert@redhat.com | http://www.securitytracker.com/id/1033780 | ||
| secalert@redhat.com | http://www.ubuntu.com/usn/USN-2817-1 | ||
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1233667 | Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2016-0778.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1033780 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.ubuntu.com/usn/USN-2817-1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1233667 | Issue Tracking |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | enterprise_linux_desktop | 6.0 | |
| redhat | enterprise_linux_hpc_node | 6.0 | |
| redhat | enterprise_linux_server | 6.0 | |
| redhat | enterprise_linux_workstation | 6.0 | |
| opensuse | opensuse | 13.1 | |
| opensuse | opensuse | 13.2 | |
| redhat | icedtea | * | |
| redhat | icedtea | 1.6 | |
| fedoraproject | fedora | 21 | |
| fedoraproject | fedora | 22 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C2FAC325-6EEB-466D-9EBA-8ED4DBC9CFBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5ED5807-55B7-47C5-97A6-03233F4FBC3A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:icedtea:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BDB43F31-4C43-4E80-8B2A-66A8502FCA11",
"versionEndIncluding": "1.5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:icedtea:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "28570EF8-C777-4AA9-BD96-ADA1D4B09B91",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks."
},
{
"lang": "es",
"value": "IcedTea-Web en versiones anteriores a 1.5.3 y 1.6.x anterior a 1.6.1 no limpia correctamente URLs de applet, lo que permite a atacantes remotos inyectar applets en el archivo de configuraci\u00f3n .appletTrustSettings y eludir la aprobaci\u00f3n del usuario para ejecutar la applet a trav\u00e9s de una p\u00e1gina web manipulada, probablemente relacionada con el salto de l\u00ednea."
}
],
"id": "CVE-2015-5234",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-10-09T14:59:01.843",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1033780"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-2817-1"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1033780"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2817-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
suse-su-2015:1682-1
Vulnerability from csaf_suse
Published
2015-09-15 09:42
Modified
2015-09-15 09:42
Summary
Security update for icedtea-web
Notes
Title of the patch
Security update for icedtea-web
Description of the patch
The Java IcedTea-Web Plugin was updated to 1.6.1 bringing
various features, bug- and securityfixes.
* Enabled Entry-Point attribute check
* permissions sandbox and signed app and unsigned app with
permissions all-permissions now run in sandbox instead of not
t all.
* fixed DownloadService
* comments in deployment.properties now should persists load/save
* fixed bug in caching of files with query
* fixed issues with recreating of existing shortcut
* trustAll/trustNone now processed correctly
* headless no longer shows dialogues
* RH1231441 Unable to read the text of the buttons of the security
dialogue
* Fixed RH1233697 icedtea-web: applet origin spoofing
(CVE-2015-5235, bsc#944208)
* Fixed RH1233667 icedtea-web: unexpected permanent authorization
of unsigned applets (CVE-2015-5234, bsc#944209)
* MissingALACAdialog made available also for unsigned applications
(but ignoring actual manifest value) and fixed
* NetX
- fixed issues with -html shortcuts
- fixed issue with -html receiving garbage in width and height
* PolicyEditor
- file flag made to work when used standalone
- file flag and main argument cannot be used in combination
The update to 1.6 is included and brings:
* Massively improved offline abilities. Added Xoffline switch to
force work without inet connection.
* Improved to be able to run with any JDK
* JDK 6 and older no longer supported
* JDK 8 support added (URLPermission granted if applicable)
* JDK 9 supported
* Added support for Entry-Point manifest attribute
* Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property
to control scan of Manifest file
* starting arguments now accept also -- abbreviations
* Added new documentation
* Added support for menu shortcuts - both javaws
applications/applets and html applets are supported
* added support for -html switch for javaws. Now you can run most
of the applets without browser at all
* Control Panel
- PR1856: ControlPanel UI improvement for lower resolutions
(800*600)
* NetX
- PR1858: Java Console accepts multi-byte encodings
- PR1859: Java Console UI improvement for lower resolutions
(800*600)
- RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception
java.lang.ClassCastException in method
sun.applet.PluginAppletViewer$8.run()
- Dropped support for long unmaintained -basedir argument
- Returned support for -jnlp argument
- RH1095311, PR574 - References class sun.misc.Ref removed in
OpenJDK 9 - fixed, and so buildable on JDK9
* Plugin
- PR1743 - Intermittant deadlock in PluginRequestProcessor
- PR1298 - LiveConnect - problem setting array elements (applet
variables) from JS
- RH1121549: coverity defects
- Resolves method overloading correctly with superclass
heirarchy distance
* PolicyEditor
- codebases can be renamed in-place, copied, and pasted
- codebase URLs can be copied to system clipboard
- displays a progress dialog while opening or saving files
- codebases without permissions assigned save to file anyway
(and re-appear on next open)
- PR1776: NullPointer on save-and-exit
- PR1850: duplicate codebases when launching from security dialogs
- Fixed bug where clicking 'Cancel' on the 'Save before Exiting'
dialog could result in the editor exiting without saving
changes
- Keyboard accelerators and mnemonics greatly improved
- 'File - New' allows editing a new policy without first
selecting the file to save to
* Common
- PR1769: support signed applets which specify Sandbox
permissions in their manifests
* Temporary Permissions in security dialog now multi-selectable
and based on PolicyEditor permissions
The update to 1.5.2 brings OpenJDK 8 support (fate#318956)
* NetX
- RH1095311, PR574 - References class sun.misc.Ref removed in
OpenJDK 9 - fixed, and so buildable on JDK9
- RH1154177 - decoded file needed from cache
- fixed NPE in https dialog
- empty codebase behaves as '.'
Patchnames
SUSE-SLE-DESKTOP-12-2015-642,SUSE-SLE-WE-12-2015-642
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for icedtea-web",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThe Java IcedTea-Web Plugin was updated to 1.6.1 bringing\nvarious features, bug- and securityfixes.\n\n* Enabled Entry-Point attribute check\n* permissions sandbox and signed app and unsigned app with\n permissions all-permissions now run in sandbox instead of not\nt all.\n* fixed DownloadService\n* comments in deployment.properties now should persists load/save\n* fixed bug in caching of files with query\n* fixed issues with recreating of existing shortcut\n* trustAll/trustNone now processed correctly\n* headless no longer shows dialogues\n* RH1231441 Unable to read the text of the buttons of the security\n dialogue\n* Fixed RH1233697 icedtea-web: applet origin spoofing\n (CVE-2015-5235, bsc#944208)\n* Fixed RH1233667 icedtea-web: unexpected permanent authorization\n of unsigned applets (CVE-2015-5234, bsc#944209)\n* MissingALACAdialog made available also for unsigned applications\n (but ignoring actual manifest value) and fixed\n* NetX\n - fixed issues with -html shortcuts\n - fixed issue with -html receiving garbage in width and height\n* PolicyEditor\n - file flag made to work when used standalone\n - file flag and main argument cannot be used in combination\n\nThe update to 1.6 is included and brings:\n\n* Massively improved offline abilities. Added Xoffline switch to\n force work without inet connection.\n* Improved to be able to run with any JDK\n* JDK 6 and older no longer supported\n* JDK 8 support added (URLPermission granted if applicable)\n* JDK 9 supported \n* Added support for Entry-Point manifest attribute\n* Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property\n to control scan of Manifest file \n* starting arguments now accept also -- abbreviations\n* Added new documentation\n* Added support for menu shortcuts - both javaws\n applications/applets and html applets are supported\n* added support for -html switch for javaws. Now you can run most\n of the applets without browser at all\n* Control Panel\n - PR1856: ControlPanel UI improvement for lower resolutions\n (800*600)\n* NetX\n - PR1858: Java Console accepts multi-byte encodings\n - PR1859: Java Console UI improvement for lower resolutions\n (800*600)\n - RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception\n java.lang.ClassCastException in method\n sun.applet.PluginAppletViewer$8.run()\n - Dropped support for long unmaintained -basedir argument\n - Returned support for -jnlp argument\n - RH1095311, PR574 - References class sun.misc.Ref removed in\n OpenJDK 9 - fixed, and so buildable on JDK9\n* Plugin\n - PR1743 - Intermittant deadlock in PluginRequestProcessor\n - PR1298 - LiveConnect - problem setting array elements (applet\n variables) from JS\n - RH1121549: coverity defects\n - Resolves method overloading correctly with superclass\n heirarchy distance\n* PolicyEditor\n - codebases can be renamed in-place, copied, and pasted\n - codebase URLs can be copied to system clipboard\n - displays a progress dialog while opening or saving files\n - codebases without permissions assigned save to file anyway\n (and re-appear on next open)\n - PR1776: NullPointer on save-and-exit\n - PR1850: duplicate codebases when launching from security dialogs\n - Fixed bug where clicking \u0027Cancel\u0027 on the \u0027Save before Exiting\u0027\n dialog could result in the editor exiting without saving\n changes\n - Keyboard accelerators and mnemonics greatly improved\n - \u0027File - New\u0027 allows editing a new policy without first\n selecting the file to save to\n* Common\n - PR1769: support signed applets which specify Sandbox\n permissions in their manifests\n* Temporary Permissions in security dialog now multi-selectable\n and based on PolicyEditor permissions\n\nThe update to 1.5.2 brings OpenJDK 8 support (fate#318956)\n* NetX\n - RH1095311, PR574 - References class sun.misc.Ref removed in\n OpenJDK 9 - fixed, and so buildable on JDK9\n - RH1154177 - decoded file needed from cache\n - fixed NPE in https dialog\n - empty codebase behaves as \u0027.\u0027\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-DESKTOP-12-2015-642,SUSE-SLE-WE-12-2015-642",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_1682-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2015:1682-1",
"url": "https://www.suse.com/support/update/announcement/2015/suse-su-20151682-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2015:1682-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2015-October/001613.html"
},
{
"category": "self",
"summary": "SUSE Bug 944208",
"url": "https://bugzilla.suse.com/944208"
},
{
"category": "self",
"summary": "SUSE Bug 944209",
"url": "https://bugzilla.suse.com/944209"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5234 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5234/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5235 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5235/"
}
],
"title": "Security update for icedtea-web",
"tracking": {
"current_release_date": "2015-09-15T09:42:59Z",
"generator": {
"date": "2015-09-15T09:42:59Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2015:1682-1",
"initial_release_date": "2015-09-15T09:42:59Z",
"revision_history": [
{
"date": "2015-09-15T09:42:59Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64",
"product": {
"name": "java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64",
"product_id": "java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Desktop 12",
"product": {
"name": "SUSE Linux Enterprise Desktop 12",
"product_id": "SUSE Linux Enterprise Desktop 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sled:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Workstation Extension 12",
"product": {
"name": "SUSE Linux Enterprise Workstation Extension 12",
"product_id": "SUSE Linux Enterprise Workstation Extension 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-we:12"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64 as component of SUSE Linux Enterprise Desktop 12",
"product_id": "SUSE Linux Enterprise Desktop 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64"
},
"product_reference": "java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Desktop 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64 as component of SUSE Linux Enterprise Workstation Extension 12",
"product_id": "SUSE Linux Enterprise Workstation Extension 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64"
},
"product_reference": "java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Workstation Extension 12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-5234",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5234"
}
],
"notes": [
{
"category": "general",
"text": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Desktop 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5234",
"url": "https://www.suse.com/security/cve/CVE-2015-5234"
},
{
"category": "external",
"summary": "SUSE Bug 944209 for CVE-2015-5234",
"url": "https://bugzilla.suse.com/944209"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Desktop 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-09-15T09:42:59Z",
"details": "moderate"
}
],
"title": "CVE-2015-5234"
},
{
"cve": "CVE-2015-5235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5235"
}
],
"notes": [
{
"category": "general",
"text": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Desktop 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5235",
"url": "https://www.suse.com/security/cve/CVE-2015-5235"
},
{
"category": "external",
"summary": "SUSE Bug 944208 for CVE-2015-5235",
"url": "https://bugzilla.suse.com/944208"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Desktop 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64",
"SUSE Linux Enterprise Workstation Extension 12:java-1_7_0-openjdk-plugin-1.6.1-2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-09-15T09:42:59Z",
"details": "moderate"
}
],
"title": "CVE-2015-5235"
}
]
}
suse-su-2015:1689-1
Vulnerability from csaf_suse
Published
2015-09-16 08:47
Modified
2015-09-16 08:47
Summary
Security update for icedtea-web
Notes
Title of the patch
Security update for icedtea-web
Description of the patch
The Java Plugin IcedTea Web was updated to 1.5.2, fixing bugs and security issues.
* permissions sandbox and signed app and unsigned app with
permissions all-permissions now run in sandbox instead of not at
all.
* fixed DownloadService
* RH1231441 Unable to read the text of the buttons of the
security dialogue
* Fixed RH1233697 icedtea-web: applet origin spoofing
(CVE-2015-5235, bsc#944208)
* Fixed RH1233667 icedtea-web: unexpected permanent authorization
of unsigned applets (CVE-2015-5234, bsc#944209)
* MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed
Patchnames
sledsp4-icedtea-web-12116
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for icedtea-web",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThe Java Plugin IcedTea Web was updated to 1.5.2, fixing bugs and security issues.\n\n* permissions sandbox and signed app and unsigned app with\n permissions all-permissions now run in sandbox instead of not at\n all.\n* fixed DownloadService\n* RH1231441 Unable to read the text of the buttons of the\n security dialogue\n* Fixed RH1233697 icedtea-web: applet origin spoofing\n (CVE-2015-5235, bsc#944208)\n* Fixed RH1233667 icedtea-web: unexpected permanent authorization\n of unsigned applets (CVE-2015-5234, bsc#944209)\n* MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "sledsp4-icedtea-web-12116",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2015_1689-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2015:1689-1",
"url": "https://www.suse.com/support/update/announcement/2015/suse-su-20151689-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2015:1689-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2015-October/001615.html"
},
{
"category": "self",
"summary": "SUSE Bug 944208",
"url": "https://bugzilla.suse.com/944208"
},
{
"category": "self",
"summary": "SUSE Bug 944209",
"url": "https://bugzilla.suse.com/944209"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5234 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5234/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5235 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5235/"
}
],
"title": "Security update for icedtea-web",
"tracking": {
"current_release_date": "2015-09-16T08:47:54Z",
"generator": {
"date": "2015-09-16T08:47:54Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2015:1689-1",
"initial_release_date": "2015-09-16T08:47:54Z",
"revision_history": [
{
"date": "2015-09-16T08:47:54Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-1.5.3-0.9.1.i586",
"product": {
"name": "icedtea-web-1.5.3-0.9.1.i586",
"product_id": "icedtea-web-1.5.3-0.9.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-1.5.3-0.9.1.x86_64",
"product": {
"name": "icedtea-web-1.5.3-0.9.1.x86_64",
"product_id": "icedtea-web-1.5.3-0.9.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Desktop 11 SP4",
"product": {
"name": "SUSE Linux Enterprise Desktop 11 SP4",
"product_id": "SUSE Linux Enterprise Desktop 11 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_sled:11:sp4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-1.5.3-0.9.1.i586 as component of SUSE Linux Enterprise Desktop 11 SP4",
"product_id": "SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.i586"
},
"product_reference": "icedtea-web-1.5.3-0.9.1.i586",
"relates_to_product_reference": "SUSE Linux Enterprise Desktop 11 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-1.5.3-0.9.1.x86_64 as component of SUSE Linux Enterprise Desktop 11 SP4",
"product_id": "SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.x86_64"
},
"product_reference": "icedtea-web-1.5.3-0.9.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Desktop 11 SP4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-5234",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5234"
}
],
"notes": [
{
"category": "general",
"text": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.i586",
"SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5234",
"url": "https://www.suse.com/security/cve/CVE-2015-5234"
},
{
"category": "external",
"summary": "SUSE Bug 944209 for CVE-2015-5234",
"url": "https://bugzilla.suse.com/944209"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.i586",
"SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-09-16T08:47:54Z",
"details": "moderate"
}
],
"title": "CVE-2015-5234"
},
{
"cve": "CVE-2015-5235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5235"
}
],
"notes": [
{
"category": "general",
"text": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.i586",
"SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5235",
"url": "https://www.suse.com/security/cve/CVE-2015-5235"
},
{
"category": "external",
"summary": "SUSE Bug 944208 for CVE-2015-5235",
"url": "https://bugzilla.suse.com/944208"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.i586",
"SUSE Linux Enterprise Desktop 11 SP4:icedtea-web-1.5.3-0.9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2015-09-16T08:47:54Z",
"details": "moderate"
}
],
"title": "CVE-2015-5235"
}
]
}
opensuse-su-2024:10316-1
Vulnerability from csaf_opensuse
Published
2024-06-15 00:00
Modified
2024-06-15 00:00
Summary
icedtea-web-javadoc-1.6.2-3.3 on GA media
Notes
Title of the patch
icedtea-web-javadoc-1.6.2-3.3 on GA media
Description of the patch
These are all security issues fixed in the icedtea-web-javadoc-1.6.2-3.3 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-10316
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "icedtea-web-javadoc-1.6.2-3.3 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the icedtea-web-javadoc-1.6.2-3.3 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-10316",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_10316-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2011-2513 page",
"url": "https://www.suse.com/security/cve/CVE-2011-2513/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2011-2514 page",
"url": "https://www.suse.com/security/cve/CVE-2011-2514/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2011-3377 page",
"url": "https://www.suse.com/security/cve/CVE-2011-3377/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2012-3422 page",
"url": "https://www.suse.com/security/cve/CVE-2012-3422/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2012-3423 page",
"url": "https://www.suse.com/security/cve/CVE-2012-3423/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2012-4540 page",
"url": "https://www.suse.com/security/cve/CVE-2012-4540/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2013-1926 page",
"url": "https://www.suse.com/security/cve/CVE-2013-1926/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2013-1927 page",
"url": "https://www.suse.com/security/cve/CVE-2013-1927/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2013-4349 page",
"url": "https://www.suse.com/security/cve/CVE-2013-4349/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5234 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5234/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-5235 page",
"url": "https://www.suse.com/security/cve/CVE-2015-5235/"
}
],
"title": "icedtea-web-javadoc-1.6.2-3.3 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:10316-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-javadoc-1.6.2-3.3.aarch64",
"product": {
"name": "icedtea-web-javadoc-1.6.2-3.3.aarch64",
"product_id": "icedtea-web-javadoc-1.6.2-3.3.aarch64"
}
},
{
"category": "product_version",
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"product": {
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"product_id": "java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64"
}
},
{
"category": "product_version",
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"product": {
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"product_id": "java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"product": {
"name": "icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"product_id": "icedtea-web-javadoc-1.6.2-3.3.ppc64le"
}
},
{
"category": "product_version",
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"product": {
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"product_id": "java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le"
}
},
{
"category": "product_version",
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"product": {
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"product_id": "java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-javadoc-1.6.2-3.3.s390x",
"product": {
"name": "icedtea-web-javadoc-1.6.2-3.3.s390x",
"product_id": "icedtea-web-javadoc-1.6.2-3.3.s390x"
}
},
{
"category": "product_version",
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"product": {
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"product_id": "java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x"
}
},
{
"category": "product_version",
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"product": {
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"product_id": "java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-javadoc-1.6.2-3.3.x86_64",
"product": {
"name": "icedtea-web-javadoc-1.6.2-3.3.x86_64",
"product_id": "icedtea-web-javadoc-1.6.2-3.3.x86_64"
}
},
{
"category": "product_version",
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"product": {
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"product_id": "java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64"
}
},
{
"category": "product_version",
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64",
"product": {
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64",
"product_id": "java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-1.6.2-3.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64"
},
"product_reference": "icedtea-web-javadoc-1.6.2-3.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-1.6.2-3.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le"
},
"product_reference": "icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-1.6.2-3.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x"
},
"product_reference": "icedtea-web-javadoc-1.6.2-3.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-1.6.2-3.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64"
},
"product_reference": "icedtea-web-javadoc-1.6.2-3.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64"
},
"product_reference": "java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le"
},
"product_reference": "java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x"
},
"product_reference": "java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64"
},
"product_reference": "java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64"
},
"product_reference": "java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le"
},
"product_reference": "java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x"
},
"product_reference": "java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
},
"product_reference": "java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2011-2513",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2011-2513"
}
],
"notes": [
{
"category": "general",
"text": "The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to obtain the username and full path of the home and cache directories by accessing properties of the ClassLoader.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2011-2513",
"url": "https://www.suse.com/security/cve/CVE-2011-2513"
},
{
"category": "external",
"summary": "SUSE Bug 704309 for CVE-2011-2513",
"url": "https://bugzilla.suse.com/704309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2011-2513"
},
{
"cve": "CVE-2011-2514",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2011-2514"
}
],
"notes": [
{
"category": "general",
"text": "The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to trick victims into granting access to local files by modifying the content of the Java Web Start Security Warning dialog box to represent a different filename than the file for which access will be granted.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2011-2514",
"url": "https://www.suse.com/security/cve/CVE-2011-2514"
},
{
"category": "external",
"summary": "SUSE Bug 704309 for CVE-2011-2514",
"url": "https://bugzilla.suse.com/704309"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2011-2514"
},
{
"cve": "CVE-2011-3377",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2011-3377"
}
],
"notes": [
{
"category": "general",
"text": "The web browser plug-in in IcedTea-Web 1.0.x before 1.0.6 and 1.1.x before 1.1.4 allows remote attackers to bypass the Same Origin Policy (SOP) and execute arbitrary script or establish network connections to unintended hosts via an applet whose origin has the same second-level domain, but a different sub-domain than the targeted domain.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2011-3377",
"url": "https://www.suse.com/security/cve/CVE-2011-3377"
},
{
"category": "external",
"summary": "SUSE Bug 729870 for CVE-2011-3377",
"url": "https://bugzilla.suse.com/729870"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2011-3377"
},
{
"cve": "CVE-2012-3422",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2012-3422"
}
],
"notes": [
{
"category": "general",
"text": "The getFirstInTableInstance function in the IcedTea-Web plugin before 1.2.1 returns an uninitialized pointer when the instance_to_id_map hash is empty, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted web page, which causes an uninitialized memory location to be read.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2012-3422",
"url": "https://www.suse.com/security/cve/CVE-2012-3422"
},
{
"category": "external",
"summary": "SUSE Bug 773458 for CVE-2012-3422",
"url": "https://bugzilla.suse.com/773458"
},
{
"category": "external",
"summary": "SUSE Bug 818768 for CVE-2012-3422",
"url": "https://bugzilla.suse.com/818768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2012-3422"
},
{
"cve": "CVE-2012-3423",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2012-3423"
}
],
"notes": [
{
"category": "general",
"text": "The IcedTea-Web plugin before 1.2.1 does not properly handle NPVariant NPStrings without NUL terminators, which allows remote attackers to cause a denial of service (crash), obtain sensitive information from memory, or execute arbitrary code via a crafted Java applet.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2012-3423",
"url": "https://www.suse.com/security/cve/CVE-2012-3423"
},
{
"category": "external",
"summary": "SUSE Bug 773458 for CVE-2012-3423",
"url": "https://bugzilla.suse.com/773458"
},
{
"category": "external",
"summary": "SUSE Bug 818768 for CVE-2012-3423",
"url": "https://bugzilla.suse.com/818768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2012-3423"
},
{
"cve": "CVE-2012-4540",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2012-4540"
}
],
"notes": [
{
"category": "general",
"text": "Off-by-one error in the invoke function in IcedTeaScriptablePluginObject.cc in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, 1.3.x before 1.3.1, and 1.4.x before 1.4.1 allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly execute arbitrary code via a crafted webpage that triggers a heap-based buffer overflow, related to an error message and a \"triggering event attached to applet.\" NOTE: the 1.4.x versions were originally associated with CVE-2013-4349, but that entry has been MERGED with this one.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2012-4540",
"url": "https://www.suse.com/security/cve/CVE-2012-4540"
},
{
"category": "external",
"summary": "SUSE Bug 787846 for CVE-2012-4540",
"url": "https://bugzilla.suse.com/787846"
},
{
"category": "external",
"summary": "SUSE Bug 840572 for CVE-2012-4540",
"url": "https://bugzilla.suse.com/840572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2012-4540"
},
{
"cve": "CVE-2013-1926",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2013-1926"
}
],
"notes": [
{
"category": "general",
"text": "The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the same codebase path but from different domains, which allows remote attackers to obtain sensitive information or possibly alter other applets via a crafted applet.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2013-1926",
"url": "https://www.suse.com/security/cve/CVE-2013-1926"
},
{
"category": "external",
"summary": "SUSE Bug 815596 for CVE-2013-1926",
"url": "https://bugzilla.suse.com/815596"
},
{
"category": "external",
"summary": "SUSE Bug 818768 for CVE-2013-1926",
"url": "https://bugzilla.suse.com/818768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2013-1926"
},
{
"cve": "CVE-2013-1927",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2013-1927"
}
],
"notes": [
{
"category": "general",
"text": "The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote attackers to execute arbitrary code via a crafted file that validates as both a GIF and a Java JAR file, aka \"GIFAR.\"",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2013-1927",
"url": "https://www.suse.com/security/cve/CVE-2013-1927"
},
{
"category": "external",
"summary": "SUSE Bug 815596 for CVE-2013-1927",
"url": "https://bugzilla.suse.com/815596"
},
{
"category": "external",
"summary": "SUSE Bug 818768 for CVE-2013-1927",
"url": "https://bugzilla.suse.com/818768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2013-1927"
},
{
"cve": "CVE-2013-4349",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2013-4349"
}
],
"notes": [
{
"category": "general",
"text": "DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-4540. Reason: This candidate was MERGED into CVE-2012-4540, since it was later discovered that it affected an additional version, but it does not constitute a regression error. Notes: All CVE users should reference CVE-2012-4540 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2013-4349",
"url": "https://www.suse.com/security/cve/CVE-2013-4349"
},
{
"category": "external",
"summary": "SUSE Bug 840572 for CVE-2013-4349",
"url": "https://bugzilla.suse.com/840572"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2013-4349"
},
{
"cve": "CVE-2015-5234",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5234"
}
],
"notes": [
{
"category": "general",
"text": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5234",
"url": "https://www.suse.com/security/cve/CVE-2015-5234"
},
{
"category": "external",
"summary": "SUSE Bug 944209 for CVE-2015-5234",
"url": "https://bugzilla.suse.com/944209"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-5234"
},
{
"cve": "CVE-2015-5235",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-5235"
}
],
"notes": [
{
"category": "general",
"text": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-5235",
"url": "https://www.suse.com/security/cve/CVE-2015-5235"
},
{
"category": "external",
"summary": "SUSE Bug 944208 for CVE-2015-5235",
"url": "https://bugzilla.suse.com/944208"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:icedtea-web-javadoc-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_7_0-openjdk-plugin-1.6.2-3.3.x86_64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.aarch64",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.ppc64le",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.s390x",
"openSUSE Tumbleweed:java-1_8_0-openjdk-plugin-1.6.2-3.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2015-5235"
}
]
}
gsd-2015-5234
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2015-5234",
"description": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.",
"id": "GSD-2015-5234",
"references": [
"https://www.suse.com/security/cve/CVE-2015-5234.html",
"https://access.redhat.com/errata/RHSA-2016:0778",
"https://access.redhat.com/errata/RHBA-2015:2457",
"https://ubuntu.com/security/CVE-2015-5234",
"https://advisories.mageia.org/CVE-2015-5234.html",
"https://linux.oracle.com/cve/CVE-2015-5234.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2015-5234"
],
"details": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.",
"id": "GSD-2015-5234",
"modified": "2023-12-13T01:20:06.121369Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5234",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "USN-2817-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-2817-1"
},
{
"name": "openSUSE-SU-2015:1595",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"name": "FEDORA-2015-15676",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"
},
{
"name": "1033780",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1033780"
},
{
"name": "[distro-pkg-dev] 20150911 IcedTea-Web 1.6.1 and 1.5.3 released",
"refsource": "MLIST",
"url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"
},
{
"name": "RHSA-2016:0778",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"
},
{
"name": "FEDORA-2015-15677",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:icedtea:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.5.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:icedtea:1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5234"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2015-15676",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"
},
{
"name": "[distro-pkg-dev] 20150911 IcedTea-Web 1.6.1 and 1.5.3 released",
"refsource": "MLIST",
"tags": [
"Patch"
],
"url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
},
{
"name": "openSUSE-SU-2015:1595",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"
},
{
"name": "FEDORA-2015-15677",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"
},
{
"name": "RHSA-2016:0778",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"
},
{
"name": "USN-2817-1",
"refsource": "UBUNTU",
"tags": [],
"url": "http://www.ubuntu.com/usn/USN-2817-1"
},
{
"name": "1033780",
"refsource": "SECTRACK",
"tags": [],
"url": "http://www.securitytracker.com/id/1033780"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2018-10-30T16:27Z",
"publishedDate": "2015-10-09T14:59Z"
}
}
}
rhba-2015:2457
Vulnerability from csaf_redhat
Published
2015-11-19 06:44
Modified
2024-11-22 09:27
Summary
Red Hat Bug Fix Advisory: icedtea-web bug fix and enhancement update
Notes
Topic
Updated icedtea-web packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 7.
Details
The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the netX project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies.
The icedtea-web packages have been upgraded to upstream version 1.6.1, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:
* The IcedTea-Web documentation and man pages have been significantly expanded.
* IcedTea-Web now supports bash completion.
* The "Custom Policies" and "Run in Sandbox" features have been enhanced.
* An -html switch has been implemented for the Java Web Start (JavaWS) framework, which can serve as a replacement of the AppletViewer program.
* It is now possible to use IcedTea-Web to crate desktop and menu launchers for applets and JavaWS applications.
(BZ#1217153)
Users of icedtea-web are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated icedtea-web packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 7.",
"title": "Topic"
},
{
"category": "general",
"text": "The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the netX project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies.\n\nThe icedtea-web packages have been upgraded to upstream version 1.6.1, which provides a number of bug fixes and enhancements over the previous version. Notable changes include the following:\n\n* The IcedTea-Web documentation and man pages have been significantly expanded.\n* IcedTea-Web now supports bash completion.\n* The \"Custom Policies\" and \"Run in Sandbox\" features have been enhanced.\n* An -html switch has been implemented for the Java Web Start (JavaWS) framework, which can serve as a replacement of the AppletViewer program.\n* It is now possible to use IcedTea-Web to crate desktop and menu launchers for applets and JavaWS applications.\n\n(BZ#1217153)\n\nUsers of icedtea-web are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2015:2457",
"url": "https://access.redhat.com/errata/RHBA-2015:2457"
},
{
"category": "external",
"summary": "1217153",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1217153"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhba-2015_2457.json"
}
],
"title": "Red Hat Bug Fix Advisory: icedtea-web bug fix and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T09:27:38+00:00",
"generator": {
"date": "2024-11-22T09:27:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHBA-2015:2457",
"initial_release_date": "2015-11-19T06:44:02+00:00",
"revision_history": [
{
"date": "2015-11-19T06:44:02+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-11-19T06:44:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:27:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"product": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"product_id": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web-debuginfo@1.6.1-4.el7?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "icedtea-web-0:1.6.1-4.el7.ppc64le",
"product": {
"name": "icedtea-web-0:1.6.1-4.el7.ppc64le",
"product_id": "icedtea-web-0:1.6.1-4.el7.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web@1.6.1-4.el7?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-0:1.6.1-4.el7.src",
"product": {
"name": "icedtea-web-0:1.6.1-4.el7.src",
"product_id": "icedtea-web-0:1.6.1-4.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web@1.6.1-4.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"product": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"product_id": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web-debuginfo@1.6.1-4.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "icedtea-web-0:1.6.1-4.el7.x86_64",
"product": {
"name": "icedtea-web-0:1.6.1-4.el7.x86_64",
"product_id": "icedtea-web-0:1.6.1-4.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web@1.6.1-4.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"product": {
"name": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"product_id": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web-javadoc@1.6.1-4.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:icedtea-web-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:icedtea-web-0:1.6.1-4.el7.src"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.src",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:icedtea-web-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"relates_to_product_reference": "7Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:icedtea-web-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:icedtea-web-0:1.6.1-4.el7.src"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.src",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:icedtea-web-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"relates_to_product_reference": "7Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:icedtea-web-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:icedtea-web-0:1.6.1-4.el7.src"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.src",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:icedtea-web-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"relates_to_product_reference": "7Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:icedtea-web-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:icedtea-web-0:1.6.1-4.el7.src"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.src",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:icedtea-web-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"relates_to_product_reference": "7Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:icedtea-web-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:icedtea-web-0:1.6.1-4.el7.src"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.src",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:icedtea-web-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"relates_to_product_reference": "7Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:icedtea-web-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:icedtea-web-0:1.6.1-4.el7.src"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.src",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:icedtea-web-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64 as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"relates_to_product_reference": "7Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"relates_to_product_reference": "7Workstation"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Andrea Palazzo"
],
"organization": "Truel IT"
}
],
"cve": "CVE-2015-5234",
"cwe": {
"id": "CWE-138",
"name": "Improper Neutralization of Special Elements"
},
"discovery_date": "2015-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1233667"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "icedtea-web: unexpected permanent authorization of unsigned applets",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Client:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-0:1.6.1-4.el7.src",
"7Client:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-0:1.6.1-4.el7.src",
"7Server:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5234"
},
{
"category": "external",
"summary": "RHBZ#1233667",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5234",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5234"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5234",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5234"
}
],
"release_date": "2015-09-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-19T06:44:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Client:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-0:1.6.1-4.el7.src",
"7Client:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-0:1.6.1-4.el7.src",
"7Server:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2015:2457"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"7Client-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Client:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-0:1.6.1-4.el7.src",
"7Client:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-0:1.6.1-4.el7.src",
"7Server:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "icedtea-web: unexpected permanent authorization of unsigned applets"
},
{
"acknowledgments": [
{
"names": [
"Andrea Palazzo"
],
"organization": "Truel IT"
}
],
"cve": "CVE-2015-5235",
"cwe": {
"id": "CWE-345",
"name": "Insufficient Verification of Data Authenticity"
},
"discovery_date": "2015-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1233697"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that IcedTea-Web did not properly determine an applet\u0027s origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "icedtea-web: applet origin spoofing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Client:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-0:1.6.1-4.el7.src",
"7Client:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-0:1.6.1-4.el7.src",
"7Server:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5235"
},
{
"category": "external",
"summary": "RHBZ#1233697",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5235",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5235"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5235",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5235"
}
],
"release_date": "2015-09-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-19T06:44:02+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Client:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-0:1.6.1-4.el7.src",
"7Client:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-0:1.6.1-4.el7.src",
"7Server:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2015:2457"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"7Client-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Client-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Client:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-0:1.6.1-4.el7.src",
"7Client:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Client:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Client:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Server-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Server:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-0:1.6.1-4.el7.src",
"7Server:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Server:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Server:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation-optional:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation-optional:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation-optional:icedtea-web-javadoc-0:1.6.1-4.el7.noarch",
"7Workstation:icedtea-web-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-0:1.6.1-4.el7.src",
"7Workstation:icedtea-web-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.ppc64le",
"7Workstation:icedtea-web-debuginfo-0:1.6.1-4.el7.x86_64",
"7Workstation:icedtea-web-javadoc-0:1.6.1-4.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "icedtea-web: applet origin spoofing"
}
]
}
rhsa-2016:0778
Vulnerability from csaf_redhat
Published
2016-05-10 18:35
Modified
2024-11-22 09:27
Summary
Red Hat Security Advisory: icedtea-web security, bug fix, and enhancement update
Notes
Topic
An update for icedtea-web is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies.
The following packages have been upgraded to a newer upstream version: icedtea-web (1.6.2). (BZ#1275523)
Security Fix(es):
* It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval. (CVE-2015-5234)
* It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin. (CVE-2015-5235)
Red Hat would like to thank Andrea Palazzo (Truel IT) for reporting these issues.
For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for icedtea-web is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies.\n\nThe following packages have been upgraded to a newer upstream version: icedtea-web (1.6.2). (BZ#1275523)\n\nSecurity Fix(es):\n\n* It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval. (CVE-2015-5234)\n\n* It was discovered that IcedTea-Web did not properly determine an applet\u0027s origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin. (CVE-2015-5235)\n\nRed Hat would like to thank Andrea Palazzo (Truel IT) for reporting these issues.\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:0778",
"url": "https://access.redhat.com/errata/RHSA-2016:0778"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.8_Release_Notes/index.html",
"url": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.8_Release_Notes/index.html"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.8_Technical_Notes/index.html",
"url": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.8_Technical_Notes/index.html"
},
{
"category": "external",
"summary": "1233667",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
},
{
"category": "external",
"summary": "1233697",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"
},
{
"category": "external",
"summary": "1299976",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1299976"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_0778.json"
}
],
"title": "Red Hat Security Advisory: icedtea-web security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T09:27:42+00:00",
"generator": {
"date": "2024-11-22T09:27:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2016:0778",
"initial_release_date": "2016-05-10T18:35:24+00:00",
"revision_history": [
{
"date": "2016-05-10T18:35:24+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-05-10T18:35:24+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:27:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Desktop (v. 6)",
"product_id": "6Client",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux HPC Node (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux HPC Node (v. 6)",
"product_id": "6ComputeNode",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-0:1.6.2-1.el6.src",
"product": {
"name": "icedtea-web-0:1.6.2-1.el6.src",
"product_id": "icedtea-web-0:1.6.2-1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web@1.6.2-1.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"product": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"product_id": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web-debuginfo@1.6.2-1.el6?arch=i686"
}
}
},
{
"category": "product_version",
"name": "icedtea-web-0:1.6.2-1.el6.i686",
"product": {
"name": "icedtea-web-0:1.6.2-1.el6.i686",
"product_id": "icedtea-web-0:1.6.2-1.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web@1.6.2-1.el6?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-0:1.6.2-1.el6.x86_64",
"product": {
"name": "icedtea-web-0:1.6.2-1.el6.x86_64",
"product_id": "icedtea-web-0:1.6.2-1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web@1.6.2-1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"product": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"product_id": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web-debuginfo@1.6.2-1.el6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"product": {
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"product_id": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/icedtea-web-javadoc@1.6.2-1.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional:icedtea-web-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.src as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional:icedtea-web-0:1.6.2-1.el6.src"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.src",
"relates_to_product_reference": "6Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional:icedtea-web-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"relates_to_product_reference": "6Client-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Desktop (v. 6)",
"product_id": "6Client:icedtea-web-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.src as a component of Red Hat Enterprise Linux Desktop (v. 6)",
"product_id": "6Client:icedtea-web-0:1.6.2-1.el6.src"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.src",
"relates_to_product_reference": "6Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Desktop (v. 6)",
"product_id": "6Client:icedtea-web-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Desktop (v. 6)",
"product_id": "6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Desktop (v. 6)",
"product_id": "6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)",
"product_id": "6Client:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"relates_to_product_reference": "6Client"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.src as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.src"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.src",
"relates_to_product_reference": "6ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"relates_to_product_reference": "6ComputeNode-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux HPC Node (v. 6)",
"product_id": "6ComputeNode:icedtea-web-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.src as a component of Red Hat Enterprise Linux HPC Node (v. 6)",
"product_id": "6ComputeNode:icedtea-web-0:1.6.2-1.el6.src"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.src",
"relates_to_product_reference": "6ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux HPC Node (v. 6)",
"product_id": "6ComputeNode:icedtea-web-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux HPC Node (v. 6)",
"product_id": "6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux HPC Node (v. 6)",
"product_id": "6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)",
"product_id": "6ComputeNode:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"relates_to_product_reference": "6ComputeNode"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional:icedtea-web-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.src as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional:icedtea-web-0:1.6.2-1.el6.src"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.src",
"relates_to_product_reference": "6Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional:icedtea-web-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"relates_to_product_reference": "6Server-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server:icedtea-web-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.src as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server:icedtea-web-0:1.6.2-1.el6.src"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.src",
"relates_to_product_reference": "6Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server:icedtea-web-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"relates_to_product_reference": "6Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional:icedtea-web-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional:icedtea-web-0:1.6.2-1.el6.src"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.src",
"relates_to_product_reference": "6Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional:icedtea-web-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"relates_to_product_reference": "6Workstation-optional"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation:icedtea-web-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.src as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation:icedtea-web-0:1.6.2-1.el6.src"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.src",
"relates_to_product_reference": "6Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation:icedtea-web-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686 as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.i686"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"relates_to_product_reference": "6Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64 as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64"
},
"product_reference": "icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"relates_to_product_reference": "6Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
},
"product_reference": "icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"relates_to_product_reference": "6Workstation"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Andrea Palazzo"
],
"organization": "Truel IT"
}
],
"cve": "CVE-2015-5234",
"cwe": {
"id": "CWE-138",
"name": "Improper Neutralization of Special Elements"
},
"discovery_date": "2015-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1233667"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "icedtea-web: unexpected permanent authorization of unsigned applets",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Client-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Client:icedtea-web-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-0:1.6.2-1.el6.src",
"6Client:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server:icedtea-web-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-0:1.6.2-1.el6.src",
"6Server:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5234"
},
{
"category": "external",
"summary": "RHBZ#1233667",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5234",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5234"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5234",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5234"
}
],
"release_date": "2015-09-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-05-10T18:35:24+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nWeb browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect.",
"product_ids": [
"6Client-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Client:icedtea-web-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-0:1.6.2-1.el6.src",
"6Client:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server:icedtea-web-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-0:1.6.2-1.el6.src",
"6Server:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0778"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Client-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Client:icedtea-web-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-0:1.6.2-1.el6.src",
"6Client:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server:icedtea-web-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-0:1.6.2-1.el6.src",
"6Server:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "icedtea-web: unexpected permanent authorization of unsigned applets"
},
{
"acknowledgments": [
{
"names": [
"Andrea Palazzo"
],
"organization": "Truel IT"
}
],
"cve": "CVE-2015-5235",
"cwe": {
"id": "CWE-345",
"name": "Insufficient Verification of Data Authenticity"
},
"discovery_date": "2015-06-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1233697"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that IcedTea-Web did not properly determine an applet\u0027s origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "icedtea-web: applet origin spoofing",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Client-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Client:icedtea-web-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-0:1.6.2-1.el6.src",
"6Client:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server:icedtea-web-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-0:1.6.2-1.el6.src",
"6Server:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5235"
},
{
"category": "external",
"summary": "RHBZ#1233697",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5235",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5235"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5235",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5235"
}
],
"release_date": "2015-09-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-05-10T18:35:24+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nWeb browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect.",
"product_ids": [
"6Client-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Client:icedtea-web-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-0:1.6.2-1.el6.src",
"6Client:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server:icedtea-web-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-0:1.6.2-1.el6.src",
"6Server:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:0778"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Client-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Client-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Client:icedtea-web-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-0:1.6.2-1.el6.src",
"6Client:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Client:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Client:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.src",
"6ComputeNode:icedtea-web-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6ComputeNode:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6ComputeNode:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Server-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Server:icedtea-web-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-0:1.6.2-1.el6.src",
"6Server:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Server:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Server:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation-optional:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation-optional:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation-optional:icedtea-web-javadoc-0:1.6.2-1.el6.noarch",
"6Workstation:icedtea-web-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-0:1.6.2-1.el6.src",
"6Workstation:icedtea-web-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.i686",
"6Workstation:icedtea-web-debuginfo-0:1.6.2-1.el6.x86_64",
"6Workstation:icedtea-web-javadoc-0:1.6.2-1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "icedtea-web: applet origin spoofing"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…