Your submission was sent successfully! Close

CVE-2011-2514

Published: 20 July 2011

The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to trick victims into granting access to local files by modifying the content of the Java Web Start Security Warning dialog box to represent a different filename than the file for which access will be granted.

From the Ubuntu security team

Omair Majid discovered that an unsigned Web Start application could manipulate the content of the security warning dialog message to show different file names in prompts. This could allow a remote attacker to confuse a user into granting access to a different file than they believe they are granting access to. This issue only affected Ubuntu 11.04.

Priority

Medium

Status

Package Release Status
icedtea-web
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Not vulnerable
(1.2-2ubuntu0.10.04.1)
maverick Does not exist

natty
Released (1.1.1-0ubuntu1~11.04.1)
oneiric Not vulnerable
(1.1.1-1ubuntu1)
upstream
Released (1.1.1)
openjdk-6
Launchpad, Ubuntu, Debian
hardy
Released (6b27-1.12.3-0ubuntu1~08.04.1)
lucid
Released (6b20-1.9.9-0ubuntu1~10.04.2)
maverick
Released (6b20-1.9.9-0ubuntu1~10.10.2)
natty Not vulnerable
(uses icedtea-web)
oneiric Not vulnerable
(uses icedtea-web)
upstream
Released (1.9.9)
openjdk-6b18
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (6b18-1.8.8-0ubuntu1~10.04.2+1.8.9)
maverick
Released (6b18-1.8.8-0ubuntu1~10.10.2+1.8.9)
natty Not vulnerable
(uses icedtea-web)
oneiric Not vulnerable
(uses icedtea-web)
upstream
Released (1.8.9)