Your submission was sent successfully! Close

CVE-2019-10185

Published: 31 July 2019

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

Priority

Medium

CVSS 3 base score: 8.6

Status

Package Release Status
icedtea-web
Launchpad, Ubuntu, Debian
Upstream
Released (1.5.3-1+deb8u1, 1.8.3-1)
Ubuntu 21.10 (Impish Indri) Needed

Ubuntu 21.04 (Hirsute Hippo) Ignored
(reached end-of-life)
Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist