CVE-2011-0025

high

Description

IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are "partially signed" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/65151

http://www.ubuntu.com/usn/USN-1055-1

http://www.securityfocus.com/bid/46110

http://www.mandriva.com/security/advisories?name=MDVSA-2011:054

http://www.debian.org/security/2011/dsa-2224

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://secunia.com/advisories/43135

http://icedtea.classpath.org/hg/release/icedtea-web-1.0?cmd=changeset%3Bnode=3bd328e4b515

http://blog.fuseyism.com/index.php/2011/02/01/security-icedtea6-178-185-195-released/

Details

Source: Mitre, NVD

Published: 2011-02-04

Updated: 2023-02-13

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: High