Description
It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.
References (8)
Core 8
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
Third Party Advisory x_refsource_confirm
https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Oct/5
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html
Patch, Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202107-51
Scores
CVSS v3
8.6
EPSS
0.0182
EPSS Percentile
83.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Details
CWE
CWE-22
Status
published
Products (4)
debian/debian_linux
8.0
icedtea-web_project/icedtea-web
1.8.2
icedtea-web_project/icedtea-web
< 1.7.2
opensuse/leap
15.0
Published
Jul 31, 2019
Tracked Since
Feb 18, 2026