Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBwYzMtZnB2aC03Mzk2
Improper synchronization in Apache Netbeans HTML/Java API
There exists a race condition between the deletion of the temporary file and the creation of the temporary directory in webkit subproject of HTML/Java API version 1.7. A similar vulnerability has recently been disclosed in other Java projects and the fix in HTML/Java API version 1.7.1 follows theirs: To avoid local privilege escalation version 1.7.1 creates the temporary directory atomically without dealing with the temporary file.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBwYzMtZnB2aC03Mzk2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 7.0
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-ppc3-fpvh-7396, CVE-2020-17534
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-17534
- https://github.com/apache/netbeans-html4j/commit/fa70e507e5555e1adb4f6518479fc408a7abd0e6
- https://lists.apache.org/thread.html/ra6119c0cdfccf051a846fa11b61364f5df9e7db93c310706a947f86a%40%3Cdev.netbeans.apache.org%3E
- https://github.com/advisories/GHSA-ppc3-fpvh-7396
Blast Radius: 1.0
Affected Packages
maven:org.netbeans.html:pom
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.7.1
Fixed in: 1.7.1
All affected versions: 1.6.1
All unaffected versions: 1.7.1, 1.7.2, 1.7.3, 1.8.1