CVE-2019-10185 — HIGH (8.6)

Q: How severe is CVE-2019-10185?

CVE-2019-10185 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-10185?

Check the references section above for vendor advisories and patch information. Affected products include: Icedtea-Web Project Icedtea-Web, Debian Debian Linux, Opensuse Leap.

Vulnerability Description

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

CVSS Score

8.6

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Icedtea-Web Project	Icedtea-Web	<= 1.7.2
Debian	Debian Linux	8.0
Opensuse	Leap	15.0

Related Weaknesses (CWE)

CWE-22

References

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.htmlThird Party Advisory
http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-DirectoThird Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185Issue TrackingThird Party Advisory
https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327Third Party Advisory
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00008.htmlThird Party Advisory
https://seclists.org/bugtraq/2019/Oct/5Mailing ListThird Party Advisory
https://security.gentoo.org/glsa/202107-51PatchThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.htmlThird Party Advisory
http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-DirectoThird Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10185Issue TrackingThird Party Advisory
https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327Third Party Advisory
https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/09/msg00008.htmlThird Party Advisory
https://seclists.org/bugtraq/2019/Oct/5Mailing ListThird Party Advisory

FAQ

What is CVE-2019-10185?

CVE-2019-10185 is a vulnerability with a CVSS score of 8.6 (HIGH). It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary ...

How severe is CVE-2019-10185?

CVE-2019-10185 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-10185?

Check the references section above for vendor advisories and patch information. Affected products include: Icedtea-Web Project Icedtea-Web, Debian Debian Linux, Opensuse Leap.