CVE-2010-4351

Current Description

The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7, 1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creating instances of ClassLoader.

Basic Data

PublishedJanuary 20, 2011
Last ModifiedAugust 17, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-264
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • AND
    • OR - Configuration 1
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationRedhatIcedtea1.7*******
      2.3ApplicationRedhatIcedtea1.7.1*******
      2.3ApplicationRedhatIcedtea1.7.2*******
      2.3ApplicationRedhatIcedtea1.7.3*******
      2.3ApplicationRedhatIcedtea1.7.4*******
      2.3ApplicationRedhatIcedtea1.7.5*******
      2.3ApplicationRedhatIcedtea1.7.6*******
      2.3ApplicationRedhatIcedtea1.8*******
      2.3ApplicationRedhatIcedtea1.8.1*******
      2.3ApplicationRedhatIcedtea1.8.2*******
      2.3ApplicationRedhatIcedtea1.8.3*******
      2.3ApplicationRedhatIcedtea1.9*******
      2.3ApplicationRedhatIcedtea1.9.1*******
      2.3ApplicationRedhatIcedtea1.9.2*******
      2.3ApplicationRedhatIcedtea1.9.3*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationSunOpenjdk********

Vulnerable Software List

VendorProductVersions
Redhat Icedtea 1.7, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.8, 1.8.1, 1.8.2, 1.8.3, 1.9, 1.9.1, 1.9.2, 1.9.3

References

NameSourceURLTags
http://blog.fuseyism.com/index.php/2011/01/18/security-icedtea6-177-184-194-released/http://blog.fuseyism.com/index.php/2011/01/18/security-icedtea6-177-184-194-released/CONFIRM
FEDORA-2011-0521http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053276.htmlFEDORA
FEDORA-2011-0500http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053288.htmlFEDORA
70605http://osvdb.org/70605OSVDB
43002http://secunia.com/advisories/43002SECUNIAVendor Advisory
43078http://secunia.com/advisories/43078SECUNIA
43085http://secunia.com/advisories/43085SECUNIA
43135http://secunia.com/advisories/43135SECUNIA
GLSA-201406-32http://security.gentoo.org/glsa/glsa-201406-32.xmlGENTOO
DSA-2224http://www.debian.org/security/2011/dsa-2224DEBIAN
MDVSA-2011:054http://www.mandriva.com/security/advisories?name=MDVSA-2011:054MANDRIVA
RHSA-2011:0176http://www.redhat.com/support/errata/RHSA-2011-0176.htmlREDHAT
45894http://www.securityfocus.com/bid/45894BID
USN-1052-1http://www.ubuntu.com/usn/USN-1052-1UBUNTU
USN-1055-1http://www.ubuntu.com/usn/USN-1055-1UBUNTU
ADV-2011-0165http://www.vupen.com/english/advisories/2011/0165VUPENVendor Advisory
ADV-2011-0166http://www.vupen.com/english/advisories/2011/0166VUPENVendor Advisory
ADV-2011-0215http://www.vupen.com/english/advisories/2011/0215VUPEN
ADV-2011-0239http://www.vupen.com/english/advisories/2011/0239VUPEN
http://www.zerodayinitiative.com/advisories/ZDI-11-014/http://www.zerodayinitiative.com/advisories/ZDI-11-014/MISC
https://bugzilla.redhat.com/show_bug.cgi?id=663680https://bugzilla.redhat.com/show_bug.cgi?id=663680CONFIRMPatch
icedtea-jnlp-code-execution(64893)https://exchange.xforce.ibmcloud.com/vulnerabilities/64893XF