{"id":"CVE-2019-10182","details":"It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from \u003cjar/\u003e elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.","modified":"2026-05-28T04:04:51.405823370Z","published":"2019-07-31T22:15:12.183Z","related":["SUSE-SU-2019:2033-1","SUSE-SU-2022:1259-1","openSUSE-SU-2019:1911-1","openSUSE-SU-2024:10855-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"7.0"}],"cpes":["cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"],"vendor_product":"redhat:enterprise_linux_desktop","source":"CPE_STRING"},{"source":"CPE_STRING","cpes":["cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"7.0"}],"vendor_product":"redhat:enterprise_linux_server"},{"source":"CPE_STRING","cpes":["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"7.6"}],"vendor_product":"redhat:enterprise_linux_server_aus"},{"source":"CPE_STRING","cpes":["cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"7.6"}],"vendor_product":"redhat:enterprise_linux_server_eus"},{"source":"CPE_STRING","cpes":["cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"7.0"}],"vendor_product":"redhat:enterprise_linux_workstation"}]},"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00045.html"},{"type":"WEB","url":"http://packetstormsecurity.com/files/154748/IcedTeaWeb-Validation-Bypass-Directory-Traversal-Code-Execution.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00008.html"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Oct/5"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182"},{"type":"FIX","url":"https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"},{"type":"FIX","url":"https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/adoptopenjdk/icedtea-web","events":[{"introduced":"0"},{"last_affected":"9dafc9fb6d388d86862733cf3a008b29fd2204f6"},{"last_affected":"6f71f3b56240cfac7f024b582b5f4565906ef38e"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.7.2"},{"last_affected":"1.8.2"}],"cpe":["cpe:2.3:a:icedtea-web_project:icedtea-web:*:*:*:*:*:*:*:*","cpe:2.3:a:icedtea-web_project:icedtea-web:1.8.2:*:*:*:*:*:*:*"],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["icedtea-web-1.8.2","icedtea-web-1.7-branchpoint","icedtea-web-1.8.1","icedtea-web-1.8.1pre","icedtea-web-1.8-branchpoint","icedtea-web-1.7.2","icedtea-web-1.7.1","icedtea-web-1.7","icedtea-web-1.6-branchpoint","icedtea-web-1.5-branchpoint","icedtea-web-1.4-branchpoint","icedtea-web-1.2-branchpoint","icedtea-web-1.1-branchpoint","icedtea-web-1.0-branchpoint"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10182.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}