CVE-2010-4351

The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7, 1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creating instances of ClassLoader.

Affected Software

Name	Vendor	Start Version	End Version
Icedtea	Redhat	1.7 (including)	1.7 (including)
Icedtea	Redhat	1.7.1 (including)	1.7.1 (including)
Icedtea	Redhat	1.7.2 (including)	1.7.2 (including)
Icedtea	Redhat	1.7.3 (including)	1.7.3 (including)
Icedtea	Redhat	1.7.4 (including)	1.7.4 (including)
Icedtea	Redhat	1.7.5 (including)	1.7.5 (including)
Icedtea	Redhat	1.7.6 (including)	1.7.6 (including)
Icedtea	Redhat	1.8 (including)	1.8 (including)
Icedtea	Redhat	1.8.1 (including)	1.8.1 (including)
Icedtea	Redhat	1.8.2 (including)	1.8.2 (including)
Icedtea	Redhat	1.8.3 (including)	1.8.3 (including)
Icedtea	Redhat	1.9 (including)	1.9 (including)
Icedtea	Redhat	1.9.1 (including)	1.9.1 (including)
Icedtea	Redhat	1.9.2 (including)	1.9.2 (including)
Icedtea	Redhat	1.9.3 (including)	1.9.3 (including)
Red Hat Enterprise Linux 5	RedHat	java-1.6.0-openjdk-1:1.6.0.0-1.17.b17.el5	*
Openjdk-6	Ubuntu	devel	*
Openjdk-6	Ubuntu	hardy	*
Openjdk-6	Ubuntu	karmic	*
Openjdk-6	Ubuntu	lucid	*
Openjdk-6	Ubuntu	maverick	*
Openjdk-6	Ubuntu	natty	*
Openjdk-6	Ubuntu	oneiric	*
Openjdk-6	Ubuntu	upstream	*
Openjdk-6b18	Ubuntu	karmic	*
Openjdk-6b18	Ubuntu	lucid	*
Openjdk-6b18	Ubuntu	maverick	*
Openjdk-6b18	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2010-4351
CWE	https://cwe.mitre.org/data/definitions/264.html

Affected Software

References