{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-09-11T00:00:00", "descriptions": [{"lang": "en", "value": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-06T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "USN-2817-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2817-1"}, {"name": "openSUSE-SU-2015:1595", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"}, {"name": "FEDORA-2015-15676", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"}, {"name": "1033780", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1033780"}, {"name": "[distro-pkg-dev] 20150911 IcedTea-Web 1.6.1 and 1.5.3 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"}, {"name": "RHSA-2016:0778", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"}, {"name": "FEDORA-2015-15677", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-5235", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "USN-2817-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2817-1"}, {"name": "openSUSE-SU-2015:1595", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"}, {"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"}, {"name": "FEDORA-2015-15676", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"}, {"name": "1033780", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033780"}, {"name": "[distro-pkg-dev] 20150911 IcedTea-Web 1.6.1 and 1.5.3 released", "refsource": "MLIST", "url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"}, {"name": "RHSA-2016:0778", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"}, {"name": "FEDORA-2015-15677", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:41:08.683Z"}, "title": "CVE Program Container", "references": [{"name": "USN-2817-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2817-1"}, {"name": "openSUSE-SU-2015:1595", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"}, {"name": "FEDORA-2015-15676", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"}, {"name": "1033780", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1033780"}, {"name": "[distro-pkg-dev] 20150911 IcedTea-Web 1.6.1 and 1.5.3 released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"}, {"name": "RHSA-2016:0778", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"}, {"name": "FEDORA-2015-15677", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5235", "datePublished": "2015-10-09T14:00:00", "dateReserved": "2015-07-01T00:00:00", "dateUpdated": "2024-08-06T06:41:08.683Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*", "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*", "matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*", "matchCriteriaId": "8CDFD93B-693D-46DC-9C39-FDECB3E619E8", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BBCD86A-E6C7-4444-9D74-F861084090F0", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:icedtea:*:*:*:*:*:*:*:*", "matchCriteriaId": "BDB43F31-4C43-4E80-8B2A-66A8502FCA11", "versionEndIncluding": "1.5.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:icedtea:1.6:*:*:*:*:*:*:*", "matchCriteriaId": "28570EF8-C777-4AA9-BD96-ADA1D4B09B91", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page."}, {"lang": "es", "value": "IcedTea-Web en versiones anteriores a 1.5.3 y 1.6.x en versiones anteriores a 1.6.1 no determina correctamente el origen de applets no firmados, lo que permite a atacantes remotos eludir el proceso de autorizaci\u00f3n o enga\u00f1ar al usuario para que acepte la ejecuci\u00f3n del applet a trav\u00e9s de una p\u00e1gina web manipulada."}], "id": "CVE-2015-5235", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-10-09T14:59:05.670", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1033780"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2817-1"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0778.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1033780"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2817-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Andrea Palazzo (Truel IT) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2016:0778", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "icedtea-web-0:1.6.2-1.el6", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-05-10T00:00:00Z"}, {"advisory": "RHBA-2015:2457", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "icedtea-web-0:1.6.1-4.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-11-19T00:00:00Z"}], "bugzilla": {"description": "icedtea-web: applet origin spoofing", "id": "1233697", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "cwe": "CWE-345", "details": ["IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.", "It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin."], "name": "CVE-2015-5235", "public_date": "2015-09-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-5235\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5235"], "threat_severity": "Moderate"}