CVE-2011-2513

IcedTea-Web < 1.0.3 and IcedTea6 < 1.8.8 - Exposure of Sensitive Information via ClassLoader Properties

Title source: llm
STIX 2.1

Description

The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to obtain the username and full path of the home and cache directories by accessing properties of the ClassLoader.

References (8)

Core 8
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2011-1100.html
Various Sources vendor-advisory x_refsource_ubuntu
http://ubuntu.com/usn/usn-1178-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1025854
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=718164

Scores

EPSS 0.0250
EPSS Percentile 82.8%

Details

CWE
CWE-200
Status published
Products (22)
redhat/icedtea-web 1.0
redhat/icedtea-web 1.0.1
redhat/icedtea-web 1.0.2
redhat/icedtea-web 1.1
redhat/icedtea-web < 1.0.3
redhat/icedtea6 1.8
redhat/icedtea6 1.8.1
redhat/icedtea6 1.8.2
redhat/icedtea6 1.8.3
redhat/icedtea6 1.8.4
... and 12 more
Published May 14, 2014
Tracked Since Feb 18, 2026