Alpine: icedtea-web: security update to 1.3.1-r0 (deprecated)

critical Tenable Cloud Security Plugin ID 401174

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the
same codebase path but from different domains, which allows remote attackers to obtain sensitive
information or possibly alter other applets via a crafted applet. (CVE-2013-1926)

- The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote attackers to execute arbitrary
code via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR." (CVE-2013-1927)

See Also

https://git.alpinelinux.org/aports/commit/?id=82996f6d17d73247734e5b1d84f8fd4d81e936d2

https://git.alpinelinux.org/aports/commit/?id=e57627c8662326c4ace9d97c33a5395f5280f09f

Plugin Details

Severity: Critical

ID: 401174

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2013-1927

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/30/2013

Vulnerability Publication Date: 4/17/2013

Reference Information

CVE: CVE-2013-1926, CVE-2013-1927

BID: 59281, 59286