Page 1 of 1

JNLP Injection Exploit?

Posted: 29 Jun 2022, 22:05
by Bill_V
Is OpenWebStart vulnerable to the exploit(s) detailed here: https://cybir.com/wp-content/uploads/20 ... elease.pdf
If so, is there a patch coming, or a is there a way to configure it so that it's not vulnerable?
Thanks in advance.

Re: JNLP Injection Exploit?

Posted: 07 Jul 2022, 14:17
by Janak Mulani
Hi

We have seen this document earlier.

OWS allows you to specify a server whitelist for downloading jnlp and jars so that you can download signed files jnlp and jars from a trusted server using https.