CVE-2019-17560
Published: 30 March 2020
The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.
Notes
Author | Note |
---|---|
seth-arnold | Ubuntu users probably do not have privileges for this to work. Typically applications are updated via apt update or snap refresh. This sounds more like a Windows or OS X issue. |
Mitigation
Disable auto-update if it exists.
Priority
Status
Package | Release | Status |
---|---|---|
netbeans Launchpad, Ubuntu, Debian |
hirsute |
Ignored
(end of life)
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
jammy |
Needs triage
|
|
xenial |
Needs triage
|
|
bionic |
Needs triage
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needs triage
|
|
groovy |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
mantic |
Needs triage
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |