CVE-2015-5236

NameCVE-2015-5236
DescriptionIt was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icedtea-web (PTS)buster1.7.2-2vulnerable
bullseye1.8.4-1vulnerable
bookworm, sid1.8.8-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icedtea-websource(unstable)(unfixed)unimportant

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1256403
Negligible impact
Search for package or bug name: Reporting problems