cbcvebase.
CVE-2020-11986
published 2020-09-09

CVE-2020-11986: To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
9.93%
95.0th percentile
To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to be invoked at load time of the project. Apache NetBeans up to and including 12.0 did not request consent from the user for the analysis of the project at load time. This in turn will run potentially malicious code, from an external source, without the consent of the user.

Affected

6 ranges
VendorProductVersion rangeFixed in
apachenetbeans<= 12.0
apachenetbeans>= 0 < 12.1-112.1-1
apachenetbeans>= 0 < 12.1-112.1-1
apachenetbeans>= 0 < 12.1-112.1-1
apachenetbeans>= 0 < 12.1-112.1-1
debiannetbeans< netbeans 12.1-1 (bookworm)netbeans 12.1-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

pathnbproject/build-impl.xml
pathapp/build.gradle
path.vscode/tasks.json
filenamepom.xml
  • In Apache NetBeans ≤12.0, Gradle build scripts (app/build.gradle) are automatically executed at project load time without user consent, enabling RCE via malicious execute() calls in Groovy build tasks.
  • Monitor for NetBeans projects where app/build.gradle contains calls to execute() within task definitions — this is the Gradle-specific code execution vector exploited by CVE-2020-11986.
  • Detect injection of malicious exec/process-launch stanzas into nbproject/build-impl.xml (Ant build file) within NetBeans project directories, as this is a known lateral injection point for pre/post-build RCE.
  • Alert on NetBeans projects where pom.xml references the org.codehaus.mojo plugin inside the build tag with exec-style configuration, as this is a Maven-based code execution injection pattern.
  • The 'Trust Project Build Script' option in NetBeans Open Project dialog only guards Gradle script priming; manual builds bypass this consent check entirely — monitor for build executions on untrusted projects.
  • ·The fix was introduced in Apache NetBeans 12.1; versions up to and including 12.0 are vulnerable. Debian packages resolved this in version 12.1-1 across all tracked suites.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.