CVE-2015-5236

NameCVE-2015-5236
DescriptionIt was discovered that the IcedTea-Web used codebase attribute of the <applet> tag on the HTML page that hosts Java applet in the Same Origin Policy (SOP) checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icedtea-web (PTS)jessie, jessie (lts)1.5.3-1+deb8u1vulnerable
stretch1.6.2-3.1+deb9u1vulnerable
buster1.7.2-2vulnerable
bullseye1.8.4-1vulnerable
bookworm1.8.8-2vulnerable
sid, trixie1.8.8-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icedtea-websource(unstable)(unfixed)unimportant

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1256403
Negligible impact

Search for package or bug name: Reporting problems