IcedTeaWeb suffers from multiple vulnerabilities including directory traversal and validation bypass issues that can lead to remote code execution. The affected versions are 1.7.2 and below, 1.8.2 and below. 1.6 is also vulnerable and not patched due to being EOL. Proof of concepts are provided.
1337c5ba88da32d6b2f207e5dfaef357aba71650ba7c348c9a4b63c551a403cd
Red Hat Security Advisory 2019-2003-01 - The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Issues addressed include a traversal vulnerability.
d8e98478c8d2690406b779748b74d3a565d823ed352eb2f15de8fb277ea717de
Red Hat Security Advisory 2019-2004-01 - The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Issues addressed include a traversal vulnerability.
49e3cfcdfd475964093f1e7bc4acd679300fcbb074c6c285aaa7d131311e155e