CVE-2011-2513

high

Description

The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to obtain the username and full path of the home and cache directories by accessing properties of the ClassLoader.

References

https://bugzilla.redhat.com/show_bug.cgi?id=718164

http://ubuntu.com/usn/usn-1178-1

http://securitytracker.com/id?1025854

http://rhn.redhat.com/errata/RHSA-2011-1100.html

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015171.html

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2011-July/015170.html

http://icedtea.classpath.org/hg/release/icedtea-web-1.1/rev/c7ce6c0e6227

http://icedtea.classpath.org/hg/release/icedtea-web-1.0/rev/b29fdd0f4d04

Details

Source: Mitre, NVD

Published: 2014-05-14

Updated: 2014-06-25

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High