SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   IcedTea Vendors:   IcedTea Project
IcedTea-Web Bugs Let Remote Users Determine the Home Directory Path and Manipulate the Security Warning Dialog
SecurityTracker Alert ID:  1025854
SecurityTracker URL:  http://securitytracker.com/id/1025854
CVE Reference:   CVE-2011-2513, CVE-2011-2514   (Links to External Site)
Date:  Jul 27 2011
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0 prior to 1.0.4, 1.1 prior to 1.1.1
Description:   Two vulnerabilities were reported in IcedTea-Web. A remote user can determine the home directory path. A remote user can manipulate the Java Web Start security warning dialog.

A remote unsigned Java Web Start application or Java applet can exploit a flaw in the Java Network Launching Protocol (JNLP) implementation to determine the path to the cache directory used to store downloaded Java class and archive files, which may disclose the user's login name [CVE-2011-2513].

A remote unsigned Java Web Start application can exploit a flaw in the JNLP implementation to manipulate the content of a Security Warning dialog box [CVE-2011-2514]. The remote user may be able to cause the target user to unintentionally grant the application access permissions to local files.

Omair Majid reported these vulnerabilities.

Impact:   A remote user can determine the home directory path.

A remote user can manipulate the Java Web Start security warning dialog.

Solution:   The vendor has issued a fix (1.0.4, 1.1.1).

The vendor's advisory is available at:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015171.html

Vendor URL:  icedtea.classpath.org/wiki/Main_Page (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 27 2011 (Red Hat Issues Fix) IcedTea-Web Bugs Let Remote Users Determine the Home Directory Path and Manipulate the Security Warning Dialog
Red Hat has issued a fix for Red Hat Enterprise Linux 6.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC