While processing a JNLP file, the href attribute of a <jar/> element by Icedtea-Web is vulnerable to directory traversal. <jar href="http://localhost/../../../../../XXX.any" version="2.0"/> Considering the line above, the file XXX.any is saved out of the cache directory, overwriting the destination if it already exists. This is effectively an (over)write-what-where primitive on the filesystem, which could be used to execute arbitrary code (eg. via placing a file in the startup folder, overwriting .bashrc, or similar).
Acknowledgments: Name: Imre Rad
Created icedtea-web tracking bugs for this issue: Affects: fedora-all [bug 1734803]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2004 https://access.redhat.com/errata/RHSA-2019:2004
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2003 https://access.redhat.com/errata/RHSA-2019:2003
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10182
Mitigation: No known mitigation.
Upstream fixes : * 1.7 branch : CVE-2019-10182 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/f9c2cf7fd24415ba2bb2619b69259035338ee5b6 CVE-2019-10185 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/26305807b41a5b4e9813db42531acd754899207f CVE-2019-10181 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/32d174def953d801eb1cfc9d989bff5e80aac3cd * 1.8 branch : CVE-2019-10182 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/7958049eedc213be1ad4ae80ee312b167ddb320f CVE-2019-10185 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/686213a6d68c21879d92cea3699b279c8f2662fa CVE-2019-10181 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e