469953 – (CVE-2008-4910) CVE-2008-4910 Java Web Start Arbitrary File Execution via file URL

Bug 469953 (CVE-2008-4910) - CVE-2008-4910 Java Web Start Arbitrary File Execution via file URL

Summary: CVE-2008-4910 Java Web Start Arbitrary File Execution via file URL

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2008-4910
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-11-04 21:16 UTC by Marc Schoenefeld
Modified:	2019-09-29 12:27 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-12-27 09:40:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marc Schoenefeld 2008-11-04 21:16:01 UTC

"The JNLP BasicService in Sun Java Web Start allows remote attackers to execute arbitrary programs on a client machine via a file:// URL argument to the showDocument method. "

Comment 6 Vincent Danen 2010-12-24 00:26:35 UTC

References:

http://www.securityfocus.com/archive/1/archive/1/497799/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/497972/100/0/threaded
http://www.securityfocus.com/bid/31916
http://securityreason.com/securityalert/4542
http://xforce.iss.net/xforce/xfdb/46119 

I see no point in keeping this bug private.  The CVE is public, and it does not look as though Sun has addressed it (or if they have, they haven't mentioned it).

Note You need to log in before you can comment on or make changes to this bug.