Bug 469953 (CVE-2008-4910)

Summary: CVE-2008-4910 Java Web Start Arbitrary File Execution via file URL
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-27 09:40:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marc Schoenefeld 2008-11-04 21:16:01 UTC 
"The JNLP BasicService in Sun Java Web Start allows remote attackers to execute arbitrary programs on a client machine via a file:// URL argument to the showDocument method. "
Comment 6 Vincent Danen 2010-12-24 00:26:35 UTC 
References:

http://www.securityfocus.com/archive/1/archive/1/497799/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/497972/100/0/threaded
http://www.securityfocus.com/bid/31916
http://securityreason.com/securityalert/4542
http://xforce.iss.net/xforce/xfdb/46119 

I see no point in keeping this bug private.  The CVE is public, and it does not look as though Sun has addressed it (or if they have, they haven't mentioned it).