CVE-2011-3377

The web browser plug-in in IcedTea-Web 1.0.x before 1.0.6 and 1.1.x before 1.1.4 allows remote attackers to bypass the Same Origin Policy (SOP) and execute arbitrary script or establish network connections to unintended hosts via an applet whose origin has the same second-level domain, but a different sub-domain than the targeted domain.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=742515
http://rhn.redhat.com/errata/RHSA-2011-1441.html
http://www.debian.org/security/2012/dsa-2420
http://www.osvdb.org/76940
http://www.ubuntu.com/usn/USN-1263-1
http://www.securityfocus.com/bid/50610
http://dbhole.wordpress.com/2011/11/08/icedtea-web-1-0-6-and-1-1-4-security-releases-released/	Patch Vendor Advisory
http://lists.opensuse.org/opensuse-updates/2012-03/msg00028.html

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:icedtea-web:1.1:::::::*
	cpe:2.3:a:redhat:icedtea-web:1.1.1:::::::*
	cpe:2.3:a:redhat:icedtea-web:1.1.2:::::::*
	cpe:2.3:a:redhat:icedtea-web:1.1.3:::::::*
	cpe:2.3:a:redhat:icedtea-web:1.0:::::::*
	cpe:2.3:a:redhat:icedtea-web:1.0.5:::::::*
	cpe:2.3:a:redhat:icedtea-web:1.0.2:::::::*
	cpe:2.3:a:redhat:icedtea-web:1.0.4:::::::*
	cpe:2.3:a:redhat:icedtea-web:1.0.1:::::::*
	cpe:2.3:a:redhat:icedtea-web:1.0.3:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:::::*
	cpe:2.3:o:canonical:ubuntu_linux:10.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:11.04:::::::*
	cpe:2.3:o:opensuse:opensuse:12.1:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*

Information

Published : 2014-02-05 11:55

Updated : 2018-10-30 09:27

NVD link : CVE-2011-3377

Mitre link : CVE-2011-3377

JSON object : View

CWE

CWE-264

Permissions, Privileges, and Access Controls

Advertisement

Products Affected

canonical

ubuntu_linux

opensuse

opensuse

redhat

icedtea-web

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=742515", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=742515", "tags": [], "refsource": "MISC"}, {"url": "http://rhn.redhat.com/errata/RHSA-2011-1441.html", "name": "RHSA-2011:1441", "tags": [], "refsource": "REDHAT"}, {"url": "http://www.debian.org/security/2012/dsa-2420", "name": "DSA-2420", "tags": [], "refsource": "DEBIAN"}, {"url": "http://www.osvdb.org/76940", "name": "76940", "tags": [], "refsource": "OSVDB"}, {"url": "http://www.ubuntu.com/usn/USN-1263-1", "name": "USN-1263-1", "tags": [], "refsource": "UBUNTU"}, {"url": "http://www.securityfocus.com/bid/50610", "name": "50610", "tags": [], "refsource": "BID"}, {"url": "http://dbhole.wordpress.com/2011/11/08/icedtea-web-1-0-6-and-1-1-4-security-releases-released/", "name": "http://dbhole.wordpress.com/2011/11/08/icedtea-web-1-0-6-and-1-1-4-security-releases-released/", "tags": ["Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://lists.opensuse.org/opensuse-updates/2012-03/msg00028.html", "name": "openSUSE-SU-2012:0371", "tags": [], "refsource": "SUSE"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The web browser plug-in in IcedTea-Web 1.0.x before 1.0.6 and 1.1.x before 1.1.4 allows remote attackers to bypass the Same Origin Policy (SOP) and execute arbitrary script or establish network connections to unintended hosts via an applet whose origin has the same second-level domain, but a different sub-domain than the targeted domain."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-264"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2011-3377", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-02-05T19:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.1.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.0.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.0.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:redhat:icedtea-web:1.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:10.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:12.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-30T16:27Z"}