Your submission was sent successfully! Close

CVE-2019-10185

Published: 31 July 2019

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

Priority

Medium

CVSS 3 base score: 8.6

Status

Package Release Status
icedtea-web
Launchpad, Ubuntu, Debian
bionic Needed

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needed

jammy Needed

precise Does not exist

trusty Does not exist

upstream
Released (1.5.3-1+deb8u1, 1.8.3-1)
xenial Ignored
(end of standard support, was needed)