{
  "threat_severity" : "Moderate",
  "public_date" : "2015-09-02T00:00:00Z",
  "bugzilla" : {
    "description" : "icedtea-web: unexpected permanent authorization of unsigned applets",
    "id" : "1233667",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1233667"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-138",
  "details" : [ "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.", "It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval." ],
  "acknowledgement" : "Red Hat would like to thank Andrea Palazzo (Truel IT) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-05-10T00:00:00Z",
    "advisory" : "RHSA-2016:0778",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "icedtea-web-0:1.6.2-1.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-11-19T00:00:00Z",
    "advisory" : "RHBA-2015:2457",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "icedtea-web-0:1.6.1-4.el7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-5234\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5234" ],
  "name" : "CVE-2015-5234",
  "csaw" : false
}