Vulnerability Description
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Hpc Node | 6.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Workstation | 6.0 |
| Opensuse | Opensuse | 13.1 |
| Redhat | Icedtea | <= 1.5.2 |
| Fedoraproject | Fedora | 21 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.htmlThird Party Advisory
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.htmlPatch
- http://rhn.redhat.com/errata/RHSA-2016-0778.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.h
- http://www.securitytracker.com/id/1033780
- http://www.ubuntu.com/usn/USN-2817-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1233667Issue Tracking
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.htmlThird Party Advisory
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.htmlPatch
- http://rhn.redhat.com/errata/RHSA-2016-0778.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.h
FAQ
What is CVE-2015-5234?
CVE-2015-5234 is a vulnerability with a CVSS score of 6.8 (MEDIUM). IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user...
How severe is CVE-2015-5234?
CVE-2015-5234 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-5234?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Hpc Node, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation, Opensuse Opensuse.