CVE-2019-10181

It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.

References

Affected packages

Git / github.com/adoptopenjdk/icedtea-web

Affected ranges

Type

GIT

Repo

https://github.com/adoptopenjdk/icedtea-web

Events

Introduced

Last affected

9dafc9fb6d388d86862733cf3a008b29fd2204f6

Introduced

Last affected

6f71f3b56240cfac7f024b582b5f4565906ef38e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.7.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.8.2"
        }
    ]
}

Affected versions

icedtea-web-1.*

icedtea-web-1.0-branchpoint

icedtea-web-1.1-branchpoint

icedtea-web-1.2-branchpoint

icedtea-web-1.4-branchpoint

icedtea-web-1.5-branchpoint

icedtea-web-1.6-branchpoint

icedtea-web-1.7

icedtea-web-1.7-branchpoint

icedtea-web-1.7.1

icedtea-web-1.7.2

icedtea-web-1.8-branchpoint

icedtea-web-1.8.1

icedtea-web-1.8.1pre

icedtea-web-1.8.2

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "8.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10181.json"