mirror of
https://github.com/0xMarcio/cve.git
synced 2026-02-12 22:53:11 +00:00
1.0 KiB
1.0 KiB
CVE-2019-10181
Description
It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.
POC
Reference
- http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html
- https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344
- https://seclists.org/bugtraq/2019/Oct/5