{"id":"CVE-2019-10648","details":"Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.","aliases":["GHSA-q2xp-75m7-gv52"],"modified":"2025-12-24T16:50:51.955825Z","published":"2019-03-30T13:29:00.657Z","references":[{"type":"FIX","url":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd#diff-0296a8f9d4a509789f4dc4f052d9c36f"},{"type":"REPORT","url":"https://sourceforge.net/p/robocode/bugs/406/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/robo-code/robocode","events":[{"introduced":"0"},{"fixed":"836c84635e982e74f2f2771b2c8640c3a34221bd"}]}],"versions":["1.9.2.6","VER_1_7_4_3","VER_1_9_2_1","VER_1_9_2_2","VER_1_9_2_3","VER_1_9_2_4","VER_1_9_2_6","VER_1_9_3_2","VER_1_9_3_3","VER_1_9_3_5"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","id":"CVE-2019-10648-19c5b73c","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"file":"robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java"},"digest":{"line_hashes":["319416978909958965226420392537562082546","297009447134767115836245965826982975866","76610973793967019529792412526365161458","116645423806854039197887405458175645358","92786844422096866111030552258442159297","180388325876625515985449754933365726480","122618747390277253111337632346280818874","293053707693376044773250268863477593691","33767840584924451035111573017065999749","308109039430277146963629406654319623700","129966624206338879427140724619773724571","11723167308417213015365643502473623316","66541664797573326696488953593119084436","47377049407151084531840724231715392273","334051121192816834164003787457893661149","18646431191920042396464291436007602464","31880445604926087649265803357417810277","295298802407816291505910300352478832484","212332791757765157763439317646787384345"],"threshold":0.9},"deprecated":false,"signature_type":"Line"},{"signature_version":"v1","id":"CVE-2019-10648-1d692b6f","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"function":"getExpectedErrors","file":"robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java"},"digest":{"length":63,"function_hash":"325007845331223946427106772113072304381"},"deprecated":false,"signature_type":"Function"},{"signature_version":"v1","id":"CVE-2019-10648-54290f34","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"file":"robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java"},"digest":{"line_hashes":["245505440898332245135196841847174640761","115069648562675576427121812544223412947","162316734836134696231337617086182164326","184337221076470009505041581779914310687","264772566782017471242575012236286691277","267284668185505948515522097544470259819","3557389437101670592999615927554509546","293053707693376044773250268863477593691","33767840584924451035111573017065999749","308109039430277146963629406654319623700","129966624206338879427140724619773724571","308001345933826045551074080398385290724","165361047945414577481101095724070997455","183423996935300550226365067074358108206","18646431191920042396464291436007602464","246690701030652552113630032709338653201","198136196317821777974298479090389192298","47878511317620651386638008419005254751"],"threshold":0.9},"deprecated":false,"signature_type":"Line"},{"signature_version":"v1","id":"CVE-2019-10648-609c20f1","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"function":"onTurnEnded","file":"robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java"},"digest":{"length":312,"function_hash":"187166476824599931421708559517652605493"},"deprecated":false,"signature_type":"Function"},{"signature_version":"v1","id":"CVE-2019-10648-9310e9b0","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"function":"runTeardown","file":"robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java"},"digest":{"length":102,"function_hash":"131608375113487988567534318017022234163"},"deprecated":false,"signature_type":"Function"},{"signature_version":"v1","id":"CVE-2019-10648-a5f09b9f","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"file":"robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java"},"digest":{"line_hashes":["265390809661457429343908283964184367055","151314116140128578616816670845433990495","140146928787659818704913375981922701980","61130740363712270112492362829344056397","129077702702614226772613539073190292798","245915808791736066965441936824962306712","173470619856542301726114646798879240737","130809302283615686410857276563941196534","234126060141607029551953851491416649248","230044840987450393053332139439210563648","83665019497414992395161339042547588978","129077702702614226772613539073190292798","245915808791736066965441936824962306712","173470619856542301726114646798879240737","333262420194298399287243350311041691050","277906728034418530513677561139445642939","185951376892617556633247056911977772101","239789505258013238564219943726691672728","308417045762445038446649692686981495345","235901862970329991568346005915905254542"],"threshold":0.9},"deprecated":false,"signature_type":"Line"},{"signature_version":"v1","id":"CVE-2019-10648-c044f418","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"function":"runTeardown","file":"robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java"},"digest":{"length":181,"function_hash":"307280377479086662750004809773534067435"},"deprecated":false,"signature_type":"Function"},{"signature_version":"v1","id":"CVE-2019-10648-d03a812c","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"function":"getExpectedErrors","file":"robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java"},"digest":{"length":63,"function_hash":"212332922164119727551317486823254868583"},"deprecated":false,"signature_type":"Function"},{"signature_version":"v1","id":"CVE-2019-10648-d61b6c22","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"function":"onTurnEnded","file":"robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java"},"digest":{"length":416,"function_hash":"168749979757091830733621539204162579561"},"deprecated":false,"signature_type":"Function"},{"signature_version":"v1","id":"CVE-2019-10648-ee4e8dc3","source":"https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd","target":{"function":"checkAccess","file":"robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java"},"digest":{"length":648,"function_hash":"106830282079963368324989369247116010858"},"deprecated":false,"signature_type":"Function"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10648.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}