CVE-2019-17560

CWE-295 — Improper Certificate Validation7 documents6 sources

Severity

9.1CRITICAL

EPSS

1.6%

top 18.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Netbeans Oracle Graalvm

Timeline

PublishedMar 30

Latest updateMay 24

Description

The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages5 packages

▶NVDapache/netbeans11.2

▶Mavenorg.codehaus.mevenide:netbeans3.1.4

▶CVEListV5apache_netbeansthrough 11.2

▶Debiannetbeans< 12.1-1+3

▶NVDoracle/graalvm19.3.2, 20.1.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Improper Certificate Validation in Apache Netbeans↗2022-05-24

▶

GHSA

Improper Certificate Validation in Apache Netbeans↗2022-05-24

▶

CVEList

CVE-2019-17560: The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads↗2020-03-30

▶

OSV

CVE-2019-17560: The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads↗2020-03-30

▶

📋Vendor Advisories

Oracle

Oracle Oracle GraalVM Risk Matrix: GraalVM Compiler (Apache NetBeans) — CVE-2019-17560↗2020-07-15

▶

Debian

CVE-2019-17560: netbeans - The "Apache NetBeans" autoupdate system does not validate SSL certificates and h...↗2019

▶