Red Hat Bugzilla – Bug 469953
CVE-2008-4910 Java Web Start Arbitrary File Execution via file URL
Last modified: 2010-12-27 04:40:02 EST
"The JNLP BasicService in Sun Java Web Start allows remote attackers to execute arbitrary programs on a client machine via a file:// URL argument to the showDocument method. "
I see no point in keeping this bug private. The CVE is public, and it does not look as though Sun has addressed it (or if they have, they haven't mentioned it).