CVE-2018-17191

5 documents5 sources

Severity

9.8CRITICAL

EPSS

3.0%

top 13.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Netbeans Apache Netbeans

Timeline

PublishedDec 31

Latest updateMay 13

Description

Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configuration (PAC) interpretation is vulnerable for remote command execution (RCE). Using the nashorn script engine the environment of the javascript execution for the Proxy Auto-Configuration leaks privileged objects, that can be used to circumvent the execution limits. If a different script engine was used, no execution limits were in place. Both vectors allow remote code execution.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/netbeans9.0

▶CVEListV5apache_software_foundation/apache_netbeans9.0 incubating

▶Debiannetbeans< 10.0-1+3

🔴Vulnerability Details

GHSA

GHSA-6wvp-4wg2-g6m4: Apache NetBeans (incubating) 9↗2022-05-13

▶

OSV

CVE-2018-17191: Apache NetBeans (incubating) 9↗2018-12-31

▶

CVEList

CVE-2018-17191: Apache NetBeans (incubating) 9↗2018-12-31

▶

📋Vendor Advisories

Debian

CVE-2018-17191: netbeans - Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configuration (PAC) interpr...↗2018

▶