CVE-2011-2513: Infoleak
First published: Fri Jul 01 2011(Updated: )
Omair Majid discovered an information disclosure flaw in the JNLP (Java Network Launching Protocol) implementation used in IcedTea and IcedTea-web. An unsigned Java Web Start application or Java Applet could use this flaw to determine a path to the cache directory (/home/<username>/.netx/cache/) used to store downloaded jars for Web Start application or Applet by querying class's ClassLoader properties. This discloses full path to user's home directory on the local system and user's login name.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/icedtea-web | <1.0.4 | 1.0.4 |
| redhat/icedtea-web | <1.1.1 | 1.1.1 |
| Red Hat IcedTea-Web | =1.0.2 | |
| Red Hat IcedTea-Web | <=1.0.3 | |
| Red Hat IcedTea-Web | =1.1 | |
| Red Hat IcedTea-Web | =1.0.1 | |
| Red Hat IcedTea-Web | =1.0 | |
| Red Hat IcedTea6 | =1.9.2 | |
| Red Hat IcedTea6 | =1.8.4 | |
| Red Hat IcedTea6 | =1.9.6 | |
| Red Hat IcedTea6 | =1.8.5 | |
| Red Hat IcedTea6 | =1.8.3 | |
| Red Hat IcedTea6 | =1.8.2 | |
| Red Hat IcedTea6 | =1.8.1 | |
| Red Hat IcedTea6 | =1.9.3 | |
| Red Hat IcedTea6 | =1.9.4 | |
| Red Hat IcedTea6 | =1.9.1 | |
| Red Hat IcedTea6 | =1.8 | |
| Red Hat IcedTea6 | =1.8.6 | |
| Red Hat IcedTea6 | =1.9.5 | |
| Red Hat IcedTea6 | =1.9.8 | |
| Red Hat IcedTea6 | <=1.8.8 | |
| Red Hat IcedTea6 | =1.8.7 | |
| Red Hat IcedTea6 | =1.9.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://icedtea.classpath.org/hg/release/icedtea-web-1.1/rev/c7ce6c0e6227
- http://ubuntu.com/usn/usn-1178-1
- http://icedtea.classpath.org/hg/release/icedtea-web-1.0/rev/b29fdd0f4d04
- http://securitytracker.com/id?1025854
- https://bugzilla.redhat.com/show_bug.cgi?id=718164
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015171.html
- http://rhn.redhat.com/errata/RHSA-2011-1100.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015170.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=723556
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=723557
- https://rhn.redhat.com/errata/RHSA-2011-1100.html
Frequently Asked Questions
What is the severity of CVE-2011-2513?
The severity of CVE-2011-2513 is classified as medium due to potential information disclosure.
How do I fix CVE-2011-2513?
To fix CVE-2011-2513, update the IcedTea-web package to version 1.0.4 or higher.
What systems are affected by CVE-2011-2513?
CVE-2011-2513 affects IcedTea-web versions up to 1.1.1 and certain older versions of IcedTea.
What types of attacks can exploit CVE-2011-2513?
CVE-2011-2513 can be exploited by an attacker using an unsigned Java Web Start application to disclose the path to the cache directory.
Is CVE-2011-2513 still a concern in modern systems?
CVE-2011-2513 is less of a concern in modern systems using updated Java implementations, but caution is advised with legacy applications.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/description
- agent/severity
- agent/author
- agent/remedy
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-2513
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- vendor/redhat
- canonical/red hat icedtea-web
- version/red hat icedtea-web/1.0.2
- version/red hat icedtea-web/1.0.3
- version/red hat icedtea-web/1.1
- version/red hat icedtea-web/1.0.1
- version/red hat icedtea-web/1.0
- canonical/red hat icedtea6
- version/red hat icedtea6/1.9.2
- version/red hat icedtea6/1.8.4
- version/red hat icedtea6/1.9.6
- version/red hat icedtea6/1.8.5
- version/red hat icedtea6/1.8.3
- version/red hat icedtea6/1.8.2
- version/red hat icedtea6/1.8.1
- version/red hat icedtea6/1.9.3
- version/red hat icedtea6/1.9.4
- version/red hat icedtea6/1.9.1
- version/red hat icedtea6/1.8
- version/red hat icedtea6/1.8.6
- version/red hat icedtea6/1.9.5
- version/red hat icedtea6/1.9.8
- version/red hat icedtea6/1.8.8
- version/red hat icedtea6/1.8.7
- version/red hat icedtea6/1.9.7