NVD Vulnerability Detail

CVE-2015-5235

Summary	IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.
Publication Date	Oct. 9, 2015, 11:59 p.m.
Registration Date	Jan. 26, 2021, 2:52 p.m.
Last Update	Nov. 21, 2024, 11:32 a.m.

Affected software configurations

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:6:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html	Third Party Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html	Third Party Advisory
3	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html	Third Party Advisory
4	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html	Third Party Advisory
5	http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html	Third Party Advisory
6	http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html	Third Party Advisory
7	http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html	Patch
8	http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html	Patch
9	http://rhn.redhat.com/errata/RHSA-2016-0778.html	Third Party Advisory
10	http://rhn.redhat.com/errata/RHSA-2016-0778.html	Third Party Advisory
11	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
12	http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
13	http://www.securitytracker.com/id/1033780
14	http://www.securitytracker.com/id/1033780
15	http://www.ubuntu.com/usn/USN-2817-1
16	http://www.ubuntu.com/usn/USN-2817-1
17	https://bugzilla.redhat.com/show_bug.cgi?id=1233697	Issue Tracking
18	https://bugzilla.redhat.com/show_bug.cgi?id=1233697	Issue Tracking

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

JVN Vulnerability Information

IcedTea-Web における承認プロセスを回避される脆弱性

Title	IcedTea-Web における承認プロセスを回避される脆弱性
Summary	IcedTea-Web は、署名のないアプレットの源を適切に判定しないため、承認プロセスを回避される、またはユーザがアプレットの実行を承認するように誘導される脆弱性が存在します。
Possible impacts	第三者により、巧妙に細工された Web ページを介して、承認プロセスを回避される、またはユーザがアプレットの実行を承認するように誘導される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 11, 2015, midnight
Registration Date	Oct. 14, 2015, 2:19 p.m.
Last Update	Oct. 14, 2015, 2:19 p.m.

Affected System

レッドハット

IcedTea-Web 1.5.3 未満

IcedTea-Web 1.6.1 未満の 1.6.x

Novell

openSUSE 13.1

openSUSE 13.2

Fedora Project

Fedora 21

Fedora 22

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-5235	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5235
National Vulnerability Database (NVD)
2	CVE-2015-5235	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5235

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2015-15676	https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167120.html
2	FEDORA-2015-15677	https://lists.fedoraproject.org/pipermail/package-announce/2015-September/167130.html
GnuPG Project
3	IcedTea-Web 1.6.1 and 1.5.3 released	http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html
opensuse-security-announce
4	openSUSE-SU-2015:1595	http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00019.html
Red Hat Bugzilla
5	Bug 1233697	https://bugzilla.redhat.com/show_bug.cgi?id=1233697

Change Log

No	Changed Details	Date of change
0	[2015年10月14日] 掲載	Feb. 17, 2018, 10:37 a.m.