CVE-2020-11986
published 2020-09-09CVE-2020-11986: To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
9.93%
95.0th percentile
To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to be invoked at load time of the project. Apache NetBeans up to and including 12.0 did not request consent from the user for the analysis of the project at load time. This in turn will run potentially malicious code, from an external source, without the consent of the user.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | netbeans | <= 12.0 | — |
| apache | netbeans | >= 0 < 12.1-1 | 12.1-1 |
| apache | netbeans | >= 0 < 12.1-1 | 12.1-1 |
| apache | netbeans | >= 0 < 12.1-1 | 12.1-1 |
| apache | netbeans | >= 0 < 12.1-1 | 12.1-1 |
| debian | netbeans | < netbeans 12.1-1 (bookworm) | netbeans 12.1-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →In Apache NetBeans ≤12.0, Gradle build scripts (app/build.gradle) are automatically executed at project load time without user consent, enabling RCE via malicious execute() calls in Groovy build tasks. ↗
- →Monitor for NetBeans projects where app/build.gradle contains calls to execute() within task definitions — this is the Gradle-specific code execution vector exploited by CVE-2020-11986. ↗
- →Detect injection of malicious exec/process-launch stanzas into nbproject/build-impl.xml (Ant build file) within NetBeans project directories, as this is a known lateral injection point for pre/post-build RCE. ↗
- →Alert on NetBeans projects where pom.xml references the org.codehaus.mojo plugin inside the build tag with exec-style configuration, as this is a Maven-based code execution injection pattern. ↗
- →The 'Trust Project Build Script' option in NetBeans Open Project dialog only guards Gradle script priming; manual builds bypass this consent check entirely — monitor for build executions on untrusted projects. ↗
- ·The fix was introduced in Apache NetBeans 12.1; versions up to and including 12.0 are vulnerable. Debian packages resolved this in version 12.1-1 across all tracked suites. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2020-11986: netbeans - To be able to analyze gradle projects, the build scripts need to be executed. Ap...
vendor_debian·2020·CVSS 9.8
CVE-2020-11986 [CRITICAL] CVE-2020-11986: netbeans - To be able to analyze gradle projects, the build scripts need to be executed. Ap...
To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to be invoked at load time of the project. Apache NetBeans up to and including 12.0 did not request consent from the user for the analysis of the project at load time. This in turn will run potentially malicious code, from an external source, without the consent of the user.
Scope: local
bookworm: resolved (fixed in 12.1-1)
bullseye: resolved (fixed in 12.1-1)
forky: resolved (fixed in 12.1-1)
sid: resolved (fixed in 12.1-1)
trixie: resolved (fixed in 12.1-1)
GHSA
GHSA-cj3p-fc7w-fx87: To be able to analyze gradle projects, the build scripts need to be executed
ghsa_unreviewed·2022-05-24
CVE-2020-11986 [HIGH] GHSA-cj3p-fc7w-fx87: To be able to analyze gradle projects, the build scripts need to be executed
To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to be invoked at load time of the project. Apache NetBeans up to and including 12.0 did not request consent from the user for the analysis of the project at load time. This in turn will run potentially malicious code, from an external source, without the consent of the user.
OSV
CVE-2020-11986: To be able to analyze gradle projects, the build scripts need to be executed
osv·2020-09-09·CVSS 9.8
CVE-2020-11986 [CRITICAL] CVE-2020-11986: To be able to analyze gradle projects, the build scripts need to be executed
To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to be invoked at load time of the project. Apache NetBeans up to and including 12.0 did not request consent from the user for the analysis of the project at load time. This in turn will run potentially malicious code, from an external source, without the consent of the user.
No detection rules found.
No public exploits indexed.
Trendmicro
Attacking The Supply Chain: Developer
blogs_trendmicro·2023-01-25
Attacking The Supply Chain: Developer
Cloud
## Attacking The Supply Chain: Developer
In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”.
By: David Fiser Jan 25, 2023 Read time: ( words)
Save to Folio
In 2021, we published an entry identifying the weak parts of the supply chain security . In the face of the surge in documented attacks , the entry gave a summarized overview of how malicious actors found gaps to abuse and take advantage of for possible gains and disruptions.
In this entry, we focus on one specific part of the supply chai
Trendmicro
Attacking The Supply Chain: Developer
blogs_trendmicro·2023-01-25
Attacking The Supply Chain: Developer
Nube
## Attacking The Supply Chain: Developer
In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”.
By: David Fiser Jan 25, 2023 Read time: ( words)
Save to Folio
In 2021, we published an entry identifying the weak parts of the supply chain security . In the face of the surge in documented attacks , the entry gave a summarized overview of how malicious actors found gaps to abuse and take advantage of for possible gains and disruptions.
In this entry, we focus on one specific part of the supply chain
Trendmicro
Attacking The Supply Chain: Developer
blogs_trendmicro·2023-01-25
Attacking The Supply Chain: Developer
Cloud
# Attacking The Supply Chain: Developer
In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”.
By: David Fiser
2023/01/25
Read time: ( words)
Save to Folio
In 2021, we published an entry identifying the weak parts of the supply chain security. In the face of the surge in documented attacks, the entry gave a summarized overview of how malicious actors found gaps to abuse and take advantage of for possible gains and disruptions.
In this entry, we focus on one specific part of the supply chain: t
Trendmicro
Attacking The Supply Chain: Developer
blogs_trendmicro·2023-01-25
Attacking The Supply Chain: Developer
Cloud
## Attacking The Supply Chain: Developer
In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”.
By: David Fiser 2023/01/25 Read time: ( words)
Save to Folio
In 2021, we published an entry identifying the weak parts of the supply chain security . In the face of the surge in documented attacks , the entry gave a summarized overview of how malicious actors found gaps to abuse and take advantage of for possible gains and disruptions.
In this entry, we focus on one specific part of the supply chain:
https://lists.apache.org/thread.html/r0fb2ba21a0469f64c2dff945dbe68f7b1122e1bff2b2b46271682406%40%3Cnotifications.netbeans.apache.org%3Ehttps://lists.apache.org/thread.html/ra81cdcf325bf4ea085c178f95ed6b50d4f1c095be50577b2f9b88984%40%3Cnotifications.netbeans.apache.org%3Ehttps://lists.apache.org/thread.html/rbb8ea1b684e73107a0a6a30245ad6112bec2e6e171368c808e69217e%40%3Cannounce.netbeans.apache.org%3Ehttps://lists.apache.org/thread.html/r0fb2ba21a0469f64c2dff945dbe68f7b1122e1bff2b2b46271682406%40%3Cnotifications.netbeans.apache.org%3Ehttps://lists.apache.org/thread.html/ra81cdcf325bf4ea085c178f95ed6b50d4f1c095be50577b2f9b88984%40%3Cnotifications.netbeans.apache.org%3Ehttps://lists.apache.org/thread.html/rbb8ea1b684e73107a0a6a30245ad6112bec2e6e171368c808e69217e%40%3Cannounce.netbeans.apache.org%3E
2020-09-09
Published