CVE-2011-0025

IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are "partially signed" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/	Patch
http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset%3Bnode=3bd328e4b515
http://secunia.com/advisories/43135	Vendor Advisory
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www.debian.org/security/2011/dsa-2224
http://www.mandriva.com/security/advisories?name=MDVSA-2011:054
http://www.securityfocus.com/bid/46110
http://www.ubuntu.com/usn/USN-1055-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/65151

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:icedtea:1.7:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.1:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.2:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.3:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.4:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.5:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.6:::::::*
	cpe:2.3:a:redhat:icedtea:1.7.7:::::::*
	cpe:2.3:a:redhat:icedtea:1.8:::::::*
	cpe:2.3:a:redhat:icedtea:1.8.1:::::::*
	cpe:2.3:a:redhat:icedtea:1.8.2:::::::*
	cpe:2.3:a:redhat:icedtea:1.8.3:::::::*
	cpe:2.3:a:redhat:icedtea:1.8.4:::::::*
	cpe:2.3:a:redhat:icedtea:1.9:::::::*
	cpe:2.3:a:redhat:icedtea:1.9.1:::::::*
	cpe:2.3:a:redhat:icedtea:1.9.2:::::::*
	cpe:2.3:a:redhat:icedtea:1.9.3:::::::*
	cpe:2.3:a:redhat:icedtea:1.9.4:::::::*

History

13 Feb 2023, 00:15

Type	Values Removed	Values Added
References	~~{'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=672262', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=672262', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/security/cve/CVE-2011-0025', 'name': 'https://access.redhat.com/security/cve/CVE-2011-0025', 'tags': [], 'refsource': 'MISC'}~~
Summary	~~CVE-2011-0025 IcedTea jarfile signature verification bypass~~	IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are "partially signed" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source.

02 Feb 2023, 14:15

Type	Values Removed	Values Added
Summary	IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are "partially signed" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source.	CVE-2011-0025 IcedTea jarfile signature verification bypass
References	{'url': 'http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset;node=3bd328e4b515', 'name': 'http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset;node=3bd328e4b515', 'tags': ['Patch'], 'refsource': 'MISC'}	(MISC) http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset%3Bnode=3bd328e4b515 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=672262 - (MISC) https://access.redhat.com/security/cve/CVE-2011-0025 -

Information

Published : 2011-02-04 20:00

Updated : 2023-12-10 11:03

NVD link : CVE-2011-0025

Mitre link : CVE-2011-0025

CVE.ORG link : CVE-2011-0025

JSON object : View

Products Affected

redhat

icedtea

CWE

CWE-20

Improper Input Validation

6.8 /10