CVSS: 8.2EPSS: 0%CPEs: 7EXPL: 1CVE-2019-10182 – icedtea-web: path traversal while processing <jar/> elements of JNLP files results in arbitrary file overwrite
https://notcve.org/view.php?id=CVE-2019-10182
31 Jul 2019 — It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from
CVSS: 8.3EPSS: 1%CPEs: 5EXPL: 0CVE-2017-3512 – Gentoo Linux Security Advisory 201705-03
https://notcve.org/view.php?id=CVE-2017-3512
24 Apr 2017 — Vulnerability in the Java SE component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 7u131 and 8u121. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in... • http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html •
CVSS: 4.3EPSS: 0%CPEs: 25EXPL: 0CVE-2017-3533 – OpenJDK: newline injection in the FTP client (Networking, 8170222)
https://notcve.org/view.php?id=CVE-2017-3533
21 Apr 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via FTP to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded,... • http://www.debian.org/security/2017/dsa-3858 • CWE-20: Improper Input Validation •
CVSS: 3.1EPSS: 0%CPEs: 24EXPL: 0CVE-2017-3539 – OpenJDK: MD5 allowed for jar verification (Security, 8171121)
https://notcve.org/view.php?id=CVE-2017-3539
21 Apr 2017 — Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, i... • http://www.debian.org/security/2017/dsa-3858 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 4.3EPSS: 0%CPEs: 33EXPL: 0CVE-2017-3544 – OpenJDK: newline injection in the SMTP client (Networking, 8171533)
https://notcve.org/view.php?id=CVE-2017-3544
21 Apr 2017 — Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 6u141, 7u131 and 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SMTP to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded... • http://www.debian.org/security/2017/dsa-3858 • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 10EXPL: 0CVE-2015-5234 – icedtea-web: unexpected permanent authorization of unsigned applets
https://notcve.org/view.php?id=CVE-2015-5234
09 Oct 2015 — IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks. IcedTea-Web en versiones anteriores a 1.5.3 y 1.6.x anterior a 1.6.1 no limpia correctamente URLs de applet, lo que permite a atacantes remotos inyectar applets en el archivo de configuración .appletTrustSettings y eludir l... • http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html • CWE-20: Improper Input Validation CWE-138: Improper Neutralization of Special Elements •
CVSS: 8.1EPSS: 0%CPEs: 10EXPL: 0CVE-2015-5235 – icedtea-web: applet origin spoofing
https://notcve.org/view.php?id=CVE-2015-5235
09 Oct 2015 — IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page. IcedTea-Web en versiones anteriores a 1.5.3 y 1.6.x en versiones anteriores a 1.6.1 no determina correctamente el origen de applets no firmados, lo que permite a atacantes remotos eludir el proceso de autorización o engañar al usuario para que acepte la ejecución del appl... • http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.3EPSS: 0%CPEs: 22EXPL: 0CVE-2011-2513 – icedtea-web: home directory path disclosure to untrusted applications
https://notcve.org/view.php?id=CVE-2011-2513
14 May 2014 — The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to obtain the username and full path of the home and cache directories by accessing properties of the ClassLoader. La implementación Java Network Launching Protocol (JNLP) en IcedTea6 1.9.x anterior a 1.9.9 y anterior a 1.8.9 y IcedTea-Web 1.1.x anterior a 1.1.1 y anterior a 1.0.4, permite a atacantes remotos obtener el nombre... • http://icedtea.classpath.org/hg/release/icedtea-web-1.0/rev/b29fdd0f4d04 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 22EXPL: 0CVE-2011-2514 – icedtea-web: Java Web Start security warning dialog manipulation
https://notcve.org/view.php?id=CVE-2011-2514
14 May 2014 — The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to trick victims into granting access to local files by modifying the content of the Java Web Start Security Warning dialog box to represent a different filename than the file for which access will be granted. La implementación Java Network Launching Protocol (JNLP) en IcedTea6 1.9.x anterior a 1.9.9 y anterior a 1.8.9 y IcedT... • http://icedtea.classpath.org/hg/release/icedtea-web-1.0/rev/b99f9a9769e0 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 20EXPL: 1CVE-2013-6493 – Ubuntu Security Notice USN-2131-1
https://notcve.org/view.php?id=CVE-2013-6493
03 Mar 2014 — The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc in IcedTea-Web before 1.4.2 allows local users to read the messages between a Java applet and a web browser by pre-creating a temporary socket file with a predictable name in /tmp. La implementación LiveConnect en plugin/icedteanp/IcedTeaNPPlugin.cc en IcedTea-Web anterior a 1.4.2 permite a usuarios locales leer los mensajes entre un Applet Java y un navegador de web mediante la precreación de un archivo de socket temporal con un nombre p... • http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •