CVE-2020-5529 — Improper Initialization in Htmlunit

CWE-665 — Improper Initialization CWE-94 — Code Injection9 documents7 sources

Severity

8.1HIGHNVD

EPSS

2.1%

top 15.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Htmlunit Htmlunit Project Htmlunit Canonical Ubuntu Linux +1 more

Timeline

PublishedFeb 11

Latest updateOct 15

Description

HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDhtmlunit/htmlunit< 2.37.0

▶Ubuntuhtmlunit/htmlunit< 2.8-1ubuntu2.1

▶CVEListV5htmlunit_project/htmlunitprior to 2.37.0

Also affects: Debian Linux 9.0, Ubuntu Linux 16.04

🔴Vulnerability Details

OSV

Code execution vulnerability in HtmlUnit↗2020-05-21

▶

GHSA

Code execution vulnerability in HtmlUnit↗2020-05-21

▶

CVEList

CVE-2020-5529: HtmlUnit prior to 2↗2020-02-11

▶

OSV

CVE-2020-5529: HtmlUnit prior to 2↗2020-02-11

▶

📋Vendor Advisories

Ubuntu

HtmlUnit vulnerability↗2020-10-15

▶

Red Hat

htmlunit: malicious JavaScript code leads to arbitrary java code execution↗2020-02-10

▶

💬Community

Bugzilla

CVE-2020-5529 htmlunit: malicious JavScript code leads to arbitrary java code execution [fedora-all]↗2020-02-14

▶

Bugzilla

CVE-2020-5529 htmlunit: malicious JavaScript code leads to arbitrary java code execution↗2020-02-14

▶