{"id":"UBUNTU-CVE-2019-10182","details":"It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from \u003cjar/\u003e elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.","modified":"2026-05-20T16:03:24.604579097Z","published":"2019-07-31T22:15:00Z","upstream":["CVE-2019-10182"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-10182"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2019/07/31/2"},{"type":"REPORT","url":"https://github.com/AdoptOpenJDK/IcedTea-Web/pull/344"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10182"},{"type":"REPORT","url":"https://github.com/AdoptOpenJDK/IcedTea-Web/issues/327"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2019-10182"}],"affected":[{"package":{"name":"icedtea-web","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/icedtea-web?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.2-1ubuntu2","1.5.3-0ubuntu1","1.6.1-1ubuntu2","1.6.1-3ubuntu1","1.6.1-4ubuntu1","1.6.2-1ubuntu1","1.6.2-2ubuntu1","1.6.2-3ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"icedtea-8-plugin","binary_version":"1.6.2-3ubuntu1"},{"binary_name":"icedtea-netx","binary_version":"1.6.2-3ubuntu1"},{"binary_name":"icedtea-netx-common","binary_version":"1.6.2-3ubuntu1"},{"binary_name":"icedtea-plugin","binary_version":"1.6.2-3ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-10182.json"}},{"package":{"name":"icedtea-web","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/icedtea-web?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.6.2-3.1ubuntu3","1.8-0ubuntu8~18.04"],"ecosystem_specific":{"binaries":[{"binary_name":"icedtea-8-plugin","binary_version":"1.8-0ubuntu8~18.04"},{"binary_name":"icedtea-netx","binary_version":"1.8-0ubuntu8~18.04"},{"binary_name":"icedtea-netx-common","binary_version":"1.8-0ubuntu8~18.04"},{"binary_name":"icedtea-plugin","binary_version":"1.8-0ubuntu8~18.04"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-10182.json"}},{"package":{"name":"icedtea-web","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/icedtea-web?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.8-0ubuntu8"],"ecosystem_specific":{"binaries":[{"binary_name":"icedtea-netx","binary_version":"1.8-0ubuntu8"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-10182.json"}},{"package":{"name":"icedtea-web","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/icedtea-web?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.8.4-1build1"],"ecosystem_specific":{"binaries":[{"binary_name":"icedtea-netx","binary_version":"1.8.4-1build1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-10182.json"}},{"package":{"name":"icedtea-web","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/icedtea-web?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.8.8-2","1.8.8-2ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"icedtea-netx","binary_version":"1.8.8-2ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-10182.json"}},{"package":{"name":"icedtea-web","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/icedtea-web?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.8.8-3"],"ecosystem_specific":{"binaries":[{"binary_name":"icedtea-netx","binary_version":"1.8.8-3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-10182.json"}},{"package":{"name":"icedtea-web","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/icedtea-web?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.8.8-3","1.8.8-3build1","1.8.8-3ubuntu1","1.8.8-4"],"ecosystem_specific":{"binaries":[{"binary_name":"icedtea-netx","binary_version":"1.8.8-4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-10182.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}