CVE-2019-17561

The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://lists.apache.org/thread.html/rb218aa720fc525f63d91761fbf67854f454ce7a697dbbee2001ae8b1%40%3Cdev.netbeans.apache.org%3E	Mailing List Mitigation Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:netbeans:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:oracle:graalvm:19.3.2::::enterprise:::
	cpe:2.3:a:oracle:graalvm:20.1.0::::enterprise:::

History

No history.

Information

Published : 2020-03-30 19:15

Updated : 2024-02-28 17:47

NVD link : CVE-2019-17561

Mitre link : CVE-2019-17561

CVE.ORG link : CVE-2019-17561

JSON object : View

Products Affected

apache

netbeans

oracle

graalvm

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2019-17561", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-03-30T19:15:15.797", "references": [{"url": "https://lists.apache.org/thread.html/rb218aa720fc525f63d91761fbf67854f454ce7a697dbbee2001ae8b1%40%3Cdev.netbeans.apache.org%3E", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "The \"Apache NetBeans\" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. \"Apache NetBeans\" versions up to and including 11.2 are affected by this vulnerability."}, {"lang": "es", "value": "El sistema de actualizaci\u00f3n autom\u00e1tica de \"Apache NetBeans\" no comprueba completamente las firmas de c\u00f3digo. Un atacante podr\u00eda modificar el nbm descargado e incluir un c\u00f3digo adicional. \"Apache NetBeans\" versiones hasta 11.2 incluy\u00e9ndola est\u00e1n afectadas por esta vulnerabilidad."}], "lastModified": "2022-04-27T15:14:13.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:netbeans:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B1C4DC9-9FF2-4BAB-BCD4-6D6CC4472EE8", "versionEndIncluding": "11.2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:19.3.2:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "909B4029-1D4F-4D60-AC6D-98C7E9FF1B15"}, {"criteria": "cpe:2.3:a:oracle:graalvm:20.1.0:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "B501426C-7FB5-4C0D-83E4-0279746EFBE8"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}