First published: Fri Jul 01 2011(Updated: )
Omair Majid discovered an information disclosure flaw in the JNLP (Java Network Launching Protocol) implementation used in IcedTea and IcedTea-web. An unsigned Java Web Start application or Java Applet could use this flaw to determine a path to the cache directory (/home/<username>/.netx/cache/) used to store downloaded jars for Web Start application or Applet by querying class's ClassLoader properties. This discloses full path to user's home directory on the local system and user's login name.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Icedtea-web | =1.0.2 | |
Redhat Icedtea-web | <=1.0.3 | |
Redhat Icedtea-web | =1.1 | |
Redhat Icedtea-web | =1.0.1 | |
Redhat Icedtea-web | =1.0 | |
Redhat Icedtea6 | =1.9.2 | |
Redhat Icedtea6 | =1.8.4 | |
Redhat Icedtea6 | =1.9.6 | |
Redhat Icedtea6 | =1.8.5 | |
Redhat Icedtea6 | =1.8.3 | |
Redhat Icedtea6 | =1.8.2 | |
Redhat Icedtea6 | =1.8.1 | |
Redhat Icedtea6 | =1.9.3 | |
Redhat Icedtea6 | =1.9.4 | |
Redhat Icedtea6 | =1.9.1 | |
Redhat Icedtea6 | =1.8 | |
Redhat Icedtea6 | =1.8.6 | |
Redhat Icedtea6 | =1.9.5 | |
Redhat Icedtea6 | =1.9.8 | |
Redhat Icedtea6 | <=1.8.8 | |
Redhat Icedtea6 | =1.8.7 | |
Redhat Icedtea6 | =1.9.7 | |
redhat/icedtea-web | <1.0.4 | 1.0.4 |
redhat/icedtea-web | <1.1.1 | 1.1.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.