CVE-2019-10185 in IcedTea-Web
Summary
by MITRE
It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/20/2025
The vulnerability identified as CVE-2019-10185 affects icedtea-web versions up to and including 1.7.2 and 1.8.2, representing a critical security flaw that enables unauthorized file system manipulation through a zip-slip attack vector. This vulnerability specifically targets the auto-extraction functionality of JAR files within the icedtea-web runtime environment, which is commonly used for executing applets in web browsers. The zip-slip vulnerability arises when archive extraction routines fail to properly validate file paths contained within compressed archives, allowing malicious actors to craft archive entries with directory traversal sequences that can bypass normal security boundaries.
The technical implementation of this flaw involves the improper handling of file paths during JAR extraction processes where relative paths containing parent directory references such as ../ or ..\ are not adequately sanitized or rejected. When icedtea-web processes a maliciously crafted JAR file, the extraction mechanism interprets these malformed paths and writes files to locations outside the intended extraction directory, effectively enabling arbitrary file system writes. This behavior directly violates the principle of least privilege and creates a significant sandbox escape condition that can compromise the integrity of the host system.
The operational impact of this vulnerability extends beyond simple unauthorized file creation, as it provides attackers with the capability to replace critical system components or modify running applications. An attacker who successfully exploits this vulnerability could potentially overwrite the main icedtea-web executable or associated libraries, leading to arbitrary code execution within the context of the running application. This presents a severe risk to users who rely on icedtea-web for executing trusted applets, as the vulnerability can be leveraged to escalate privileges and bypass security restrictions that normally protect against such attacks. The sandbox escape capability makes this particularly dangerous in environments where icedtea-web is used to execute untrusted content.
Mitigation strategies for CVE-2019-10185 should prioritize immediate version updates to icedtea-web 1.8.3 or later, which contain patched extraction routines that properly validate and sanitize file paths during archive processing. Organizations should implement comprehensive patch management procedures to ensure all affected systems are updated promptly, as the vulnerability can be exploited through web-based attack vectors without requiring user interaction beyond visiting a malicious website. Additional protective measures include deploying network segmentation controls to limit access to systems running icedtea-web, implementing application whitelisting policies that restrict JAR file processing, and monitoring for suspicious file creation patterns that may indicate exploitation attempts. This vulnerability aligns with CWE-22 Directory Traversal and maps to ATT&CK technique T1059 Command and Scripting Interpreter, specifically highlighting the risk of malicious code execution through compromised application environments.