CVE-2011-0025

IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are "partially signed" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/	Patch
http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset%3Bnode=3bd328e4b515
http://secunia.com/advisories/43135	Vendor Advisory
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www.debian.org/security/2011/dsa-2224
http://www.mandriva.com/security/advisories?name=MDVSA-2011:054
http://www.securityfocus.com/bid/46110
http://www.ubuntu.com/usn/USN-1055-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/65151

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:icedtea:1.7:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.1:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.2:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.3:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.4:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.5:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.6:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.7:::::::*
	cpe:2.3:a:redhat:icedtea:1.8:::::::*
	cpe:2.3:a:redhat:icedtea:1.8.1:::::::*
	cpe:2.3:a:redhat:icedtea:1.8.2:::::::*
	cpe:2.3:a:redhat:icedtea:1.8.3:::::::*
	cpe:2.3:a:redhat:icedtea:1.8.4:::::::*
	cpe:2.3:a:redhat:icedtea:1.9:::::::*
	cpe:2.3:a:redhat:icedtea:1.9.1:::::::*
	cpe:2.3:a:redhat:icedtea:1.9.2:::::::*
	cpe:2.3:a:redhat:icedtea:1.9.3:::::::*
	cpe:2.3:a:redhat:icedtea:1.9.4:::::::*

History

No history.

Information

Published : 2011-02-04 20:00

Updated : 2023-02-13 00:15

NVD link : CVE-2011-0025

Mitre link : CVE-2011-0025

CVE.ORG link : CVE-2011-0025

JSON object : View

Products Affected

redhat

icedtea

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2011-0025", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2011-02-04T20:00:02.447", "references": [{"url": "http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset%3Bnode=3bd328e4b515", "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/43135", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://security.gentoo.org/glsa/glsa-201406-32.xml", "source": "secalert@redhat.com"}, {"url": "http://www.debian.org/security/2011/dsa-2224", "source": "secalert@redhat.com"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:054", "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/46110", "source": "secalert@redhat.com"}, {"url": "http://www.ubuntu.com/usn/USN-1055-1", "source": "secalert@redhat.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65151", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are \"partially signed\" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source."}, {"lang": "es", "value": "IcedTea v1.7 anterior a v1.7.8, v1.8 anterior a v1.8.5 y v1.9 anterior a v1.9.5 no verifica adecuadamente las firmas de los archivos JAR que (1) est\u00e1n \"parcialmente firmados\" o (2), firmado por varias entidades, lo que permite a atacantes remotos enga\u00f1ar a usuarios ejecutando c\u00f3digo que parece provenir de una fuente de confianza."}], "lastModified": "2023-02-13T00:15:51.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:icedtea:1.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4833BFF6-1B29-4455-BA90-A11DE1F6D008"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD18B06E-F419-4ADE-B6E5-DC364A9FF6CD"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED3970CE-8C3C-4F30-8927-1E5A6CD626E8"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.7.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E225339C-A5A8-4D56-A5EC-09814C83E0E2"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADC26C27-DAD1-4DA9-A1DE-E3D5060C3EB7"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "557CEA5C-2B78-4BC2-ABA2-E2272D3765A2"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.7.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39BB9DB4-AE61-4B74-B0AB-2363A5F4A9F0"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.7.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FAC1F98-711A-4A9D-B81A-5B8180E4A006"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68D8D8B4-8E82-4D08-9D39-2D94418D06E4"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3AD9684-D2D7-496B-B77A-2798244CB112"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6D37313-09D9-4726-B083-1FD83A602DE3"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.8.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCFB7FF0-B2D7-43F2-86ED-0DC4966373E8"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.8.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "880A1C3A-9210-4263-9F16-F78C36B7DD9C"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3303605E-F164-4B9F-90E5-55E47C1C568B"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.9.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7C448596-505E-451B-8BC5-73FCB2D11DE6"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.9.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39ECCC84-CA5A-44F7-B303-25BED16073B8"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.9.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D454FC4-329C-4C70-BF31-D3F8B6CF85E6"}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.9.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9D112A9B-C489-49FA-B446-54AEF1F515F1"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}