CVE-2010-3860

Description

IcedTea 1.7.x before 1.7.6, 1.8.x before 1.8.3, and 1.9.x before 1.9.2, as based on OpenJDK 6, declares multiple sensitive variables as public, which allows remote attackers to obtain sensitive information including (1) user.name, (2) user.home, and (3) java.home system properties, and other sensitive information such as installation directories.

CVSS Metrics

• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 1.51%• Percentile: 82%

Techniques & Countermeasures

• CWE-200•Exposure of Sensitive Information to an Unauthorized Actor

  The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

• redhat•icedtea

  ≤ 1.9.1 | 1.5:rc1 | 1.5:rc2 | 1.5:rc3 | 1.6 | 1.7 | 1.8 | 1.8.1 | 1.8.2 | 1.9

References (15)

• http://security.gentoo.org/glsa/glsa-201406-32.xml
• http://lists.fedoraproject.org/pipermail/package-announce/2010-December/051711.html
• http://secunia.com/advisories/43085
• http://www.vupen.com/english/advisories/2011/0215
• http://www.ubuntu.com/usn/USN-1024-1
• http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html
• http://secunia.com/advisories/42412
• http://www.vupen.com/english/advisories/2010/3090
• http://blog.fuseyism.com/index.php/2010/11/24/icedtea6-176-183-and-192-released/
• http://www.vupen.com/english/advisories/2010/3108
• https://bugzilla.redhat.com/show_bug.cgi?id=645843
• http://secunia.com/advisories/42417
• http://www.securityfocus.com/bid/45114
• http://icedtea.classpath.org/hg/release/icedtea6-1.9/rev/9aa0018d8c28
• http://www.redhat.com/support/errata/RHSA-2011-0176.html