{
  "threat_severity" : "Moderate",
  "public_date" : "2015-09-02T00:00:00Z",
  "bugzilla" : {
    "description" : "icedtea-web: applet origin spoofing",
    "id" : "1233697",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1233697"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-345",
  "details" : [ "IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.", "It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin." ],
  "acknowledgement" : "Red Hat would like to thank Andrea Palazzo (Truel IT) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-05-10T00:00:00Z",
    "advisory" : "RHSA-2016:0778",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "icedtea-web-0:1.6.2-1.el6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-11-19T00:00:00Z",
    "advisory" : "RHBA-2015:2457",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "icedtea-web-0:1.6.1-4.el7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-5235\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5235" ],
  "name" : "CVE-2015-5235",
  "csaw" : false
}