CVE-2015-5234
Summary
| CVE | CVE-2015-5234 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-10-09 14:59:00 UTC |
| Updated | 2018-10-30 16:27:00 UTC |
| Description | IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 21 | All | All | All |
| Operating System | Fedoraproject | Fedora | 22 | All | All | All |
| Operating System | Fedoraproject | Fedora | 21 | All | All | All |
| Operating System | Fedoraproject | Fedora | 22 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.1 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.2 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.1 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.2 | All | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Hpc Node | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Hpc Node | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 6.0 | All | All | All |
| Application | Redhat | Icedtea | 1.6 | All | All | All |
| Application | Redhat | Icedtea | 1.6 | All | All | All |
| Application | Redhat | Icedtea | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Third Party Advisory |
| [SECURITY] Fedora 21 Update: icedtea-web-1.6.1-1.fc21 | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| IcedTea-Web Validation Flaws Let Remote Users Execute Arbitrary Applets - SecurityTracker | SECTRACK | www.securitytracker.com | |
| 1233667 – (CVE-2015-5234) CVE-2015-5234 icedtea-web: unexpected permanent authorization of unsigned applets | CONFIRM | bugzilla.redhat.com | Issue Tracking |
| USN-2817-1: IcedTea Web vulnerabilities | Ubuntu | UBUNTU | www.ubuntu.com | |
| Oracle Linux Bulletin - April 2016 | CONFIRM | www.oracle.com | |
| IcedTea-Web 1.6.1 and 1.5.3 released | MLIST | mail.openjdk.java.net | Patch |
| [SECURITY] Fedora 22 Update: icedtea-web-1.6.1-1.fc22 | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| [security-announce] openSUSE-SU-2015:1595-1: important: Security update | SUSE | lists.opensuse.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.