Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03YzJtLXZ3eHctNXF3d84AArEo
Improper Certificate Validation in Apache Netbeans
The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability. NetBeans releases before the Apache transition started may also be affected.
Permalink: https://github.com/advisories/GHSA-7c2m-vwxw-5qwwJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03YzJtLXZ3eHctNXF3d84AArEo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-7c2m-vwxw-5qww, CVE-2019-17560
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-17560
- https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://github.com/advisories/GHSA-7c2m-vwxw-5qww
Affected Packages
maven:org.codehaus.mevenide:netbeans
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 3.1.4
No known fixed version
All affected versions: 3.0.9, 3.0.10, 3.0.12, 3.1.1, 3.1.4