ID CVE-2013-1927
Summary The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote attackers to execute arbitrary code via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR." Per http://www.ubuntu.com/usn/USN-1804-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS" Per http://lists.opensuse.org/opensuse-updates/2013-04/msg00106.html "Affected Products: openSUSE 12.2"
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:icedtea-web:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.1.7:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:icedtea-web:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:icedtea-web:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 30-10-2018 - 16:27)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 916774
title CVE-2013-1926 icedtea-web: class loader sharing for applets with same codebase paths
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment icedtea-web is earlier than 0:1.2.3-2.el6_4
        oval oval:com.redhat.rhsa:tst:20130753005
      • comment icedtea-web is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20141417006
    • AND
      • comment icedtea-web-javadoc is earlier than 0:1.2.3-2.el6_4
        oval oval:com.redhat.rhsa:tst:20130753007
      • comment icedtea-web-javadoc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhba:tst:20141417008
rhsa
id RHSA-2013:0753
released 2013-04-17
severity Moderate
title RHSA-2013:0753: icedtea-web security update (Moderate)
rpms
  • icedtea-web-0:1.2.3-2.el6_4
  • icedtea-web-javadoc-0:1.2.3-2.el6_4
refmap via4
bid 59286
confirm
mandriva MDVSA-2013:146
misc
mlist [distro-pkg-dev] 20130417 IcedTea-Web 1.3.2 and 1.2.3 released!
osvdb 92544
secunia
  • 53109
  • 53117
suse
  • SUSE-SU-2013:0851
  • SUSE-SU-2013:1174
  • openSUSE-SU-2013:0715
  • openSUSE-SU-2013:0735
  • openSUSE-SU-2013:0826
  • openSUSE-SU-2013:0893
  • openSUSE-SU-2013:0897
  • openSUSE-SU-2013:0966
ubuntu USN-1804-1
xf icedtea-cve20131927-sec-bypass(83640)
Last major update 30-10-2018 - 16:27
Published 29-04-2013 - 22:55
Back to Top