CVSS: 8.2EPSS: 1%CPEs: 7EXPL: 1CVE-2019-10182 – icedtea-web: path traversal while processing <jar/> elements of JNLP files results in arbitrary file overwrite
https://notcve.org/view.php?id=CVE-2019-10182
31 Jul 2019 — It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from
CVSS: 8.3EPSS: 5%CPEs: 5EXPL: 0CVE-2017-3512 – Gentoo Linux Security Advisory 201705-03
https://notcve.org/view.php?id=CVE-2017-3512
24 Apr 2017 — Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 7u131 and 8u121. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in... • http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html •
CVSS: 4.3EPSS: 0%CPEs: 25EXPL: 0CVE-2017-3533 – OpenJDK: newline injection in the FTP client (Networking, 8170222)
https://notcve.org/view.php?id=CVE-2017-3533
21 Apr 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via FTP to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded,... • http://www.debian.org/security/2017/dsa-3858 • CWE-20: Improper Input Validation •
CVSS: 3.1EPSS: 0%CPEs: 24EXPL: 0CVE-2017-3539 – OpenJDK: MD5 allowed for jar verification (Security, 8171121)
https://notcve.org/view.php?id=CVE-2017-3539
21 Apr 2017 — Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, i... • http://www.debian.org/security/2017/dsa-3858 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2017-3544 – OpenJDK: newline injection in the SMTP client (Networking, 8171533)
https://notcve.org/view.php?id=CVE-2017-3544
21 Apr 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SMTP to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded... • http://www.debian.org/security/2017/dsa-3858 • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 10EXPL: 0CVE-2015-5234 – icedtea-web: unexpected permanent authorization of unsigned applets
https://notcve.org/view.php?id=CVE-2015-5234
09 Oct 2015 — IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks. IcedTea-Web en versiones anteriores a 1.5.3 y 1.6.x anterior a 1.6.1 no limpia correctamente URLs de applet, lo que permite a atacantes remotos inyectar applets en el archivo de configuración .appletTrustSettings y eludir l... • http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html • CWE-20: Improper Input Validation CWE-138: Improper Neutralization of Special Elements •
CVSS: 8.1EPSS: 0%CPEs: 10EXPL: 0CVE-2015-5235 – icedtea-web: applet origin spoofing
https://notcve.org/view.php?id=CVE-2015-5235
09 Oct 2015 — IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page. IcedTea-Web en versiones anteriores a 1.5.3 y 1.6.x en versiones anteriores a 1.6.1 no determina correctamente el origen de applets no firmados, lo que permite a atacantes remotos eludir el proceso de autorización o engañar al usuario para que acepte la ejecución del appl... • http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.5EPSS: 0%CPEs: 20EXPL: 1CVE-2013-6493 – Ubuntu Security Notice USN-2131-1
https://notcve.org/view.php?id=CVE-2013-6493
03 Mar 2014 — The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc in IcedTea-Web before 1.4.2 allows local users to read the messages between a Java applet and a web browser by pre-creating a temporary socket file with a predictable name in /tmp. La implementación LiveConnect en plugin/icedteanp/IcedTeaNPPlugin.cc en IcedTea-Web anterior a 1.4.2 permite a usuarios locales leer los mensajes entre un Applet Java y un navegador de web mediante la precreación de un archivo de socket temporal con un nombre p... • http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 25EXPL: 0CVE-2013-1926 – icedtea-web: class loader sharing for applets with same codebase paths
https://notcve.org/view.php?id=CVE-2013-1926
18 Apr 2013 — The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the same codebase path but from different domains, which allows remote attackers to obtain sensitive information or possibly alter other applets via a crafted applet. El plugin IcedTea-Web antes de v1.2.3 y v1.3.x antes v1.3.2 utiliza el mismo cargador de clases de applets con la misma ruta de código base pero desde diferentes ámbitos, lo que permite a atacantes remotos obtener información sensible o posib... • http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.3/NEWS •
CVSS: 8.8EPSS: 2%CPEs: 25EXPL: 0CVE-2013-1927 – icedtea-web: GIFAR issue
https://notcve.org/view.php?id=CVE-2013-1927
18 Apr 2013 — The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote attackers to execute arbitrary code via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR." El plugin IcedTea-Web antes de v1.2.3 y v1.3.x antes de v1.3.2 permite a atacantes remotos ejecutar código de su elección a través de un archivo creado para tal fin que valida tanto como archivo GIF y archivo JAR de Java, también conocido como archivo "GIFAR." Multiple vulnerabilities has been discovered and corrected i... • http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.3/NEWS •