CVE-2019-17560 – org.codehaus.mevenide:netbeans

Package

Manager: maven
Name: org.codehaus.mevenide:netbeans
Vulnerable Version: >=0 <=3.1.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01918 pctl0.82629

Details

Improper Certificate Validation in Apache Netbeans The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability. NetBeans releases before the Apache transition started may also be affected.

Metadata

Created: 2022-05-24T22:28:22Z
Modified: 2023-02-15T22:08:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7c2m-vwxw-5qww/GHSA-7c2m-vwxw-5qww.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-7c2m-vwxw-5qww
Finding: F163
Auto approve: 1