Lucene search

[email protected]CVE-2019-17561

HistoryMar 30, 2020 - 7:15 p.m.

CVE-2019-17561

2020-03-3019:15:15

CWE-347

[email protected]

web.nvd.nist.gov

apache netbeans

autoupdate system

code signatures

vulnerability

cve-2019-17561

nvd

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

49.2%

JSON

The “Apache NetBeans” autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. “Apache NetBeans” versions up to and including 11.2 are affected by this vulnerability.

Affected configurations

NVD

Node

apachenetbeansRange≤11.2

Node

oraclegraalvmMatch19.3.2enterprise

oraclegraalvmMatch20.1.0enterprise

CPENameOperatorVersion
apache:netbeansapache netbeansle11.2

CPE	Name	Operator	Version
apache:netbeans	apache netbeans	le	11.2

CNA Affected

[
  {
    "product": "Apache NetBeans",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "through 11.2"
      }
    ]
  }
]