CVE-2011-3377
Summary
| CVE | CVE-2011-3377 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-02-05 19:55:28 UTC |
| Updated | 2026-04-29 01:13:23 UTC |
| Description | The web browser plug-in in IcedTea-Web 1.0.x before 1.0.6 and 1.1.x before 1.1.4 allows remote attackers to bypass the Same Origin Policy (SOP) and execute arbitrary script or establish network connections to unintended hosts via an applet whose origin has the same second-level domain, but a different sub-domain than the targeted domain. |
Risk And Classification
Primary CVSS: v2.0 4.3 from [email protected]
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS: 0.009710000 probability, percentile 0.766960000 (date 2026-05-04)
Problem Types: CWE-264 | n/a
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:N/AC:M/Au:N/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 10.04 | - | lts | All |
| Operating System | Canonical | Ubuntu Linux | 10.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 11.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 11.10 | All | All | All |
| Operating System | Opensuse | Opensuse | 12.1 | All | All | All |
| Application | Redhat | Icedtea-web | 1.0 | All | All | All |
| Application | Redhat | Icedtea-web | 1.0.1 | All | All | All |
| Application | Redhat | Icedtea-web | 1.0.2 | All | All | All |
| Application | Redhat | Icedtea-web | 1.0.3 | All | All | All |
| Application | Redhat | Icedtea-web | 1.0.4 | All | All | All |
| Application | Redhat | Icedtea-web | 1.0.5 | All | All | All |
| Application | Redhat | Icedtea-web | 1.1 | All | All | All |
| Application | Redhat | Icedtea-web | 1.1.1 | All | All | All |
| Application | Redhat | Icedtea-web | 1.1.2 | All | All | All |
| Application | Redhat | Icedtea-web | 1.1.3 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.osvdb.org/76940 | af854a3a-2127-422b-91ae-364da2661108 | www.osvdb.org | |
| USN-1263-1: IcedTea-Web, OpenJDK 6 vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | |
| IcedTea-Web Plugin CVE-2011-3377 Same Origin Policy Bypass Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| Bug 742515 – CVE-2011-3377 IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.redhat.com | |
| IcedTea-Web 1.0.6 and 1.1.4 (security releases) released | Deepak’s Blog | af854a3a-2127-422b-91ae-364da2661108 | dbhole.wordpress.com | Patch, Vendor Advisory |
| openSUSE-SU-2012:0371-1: moderate: update for icedtea-web | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | |
| access.redhat.com | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Debian -- Security Information -- DSA-2420-1 openjdk-6 | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.