CVE-2020-17534 – org.netbeans.html:pom

Package

Manager: maven
Name: org.netbeans.html:pom
Vulnerable Version: >=0 <1.7.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00068 pctl0.21403

Details

Improper synchronization in Apache Netbeans HTML/Java API There exists a race condition between the deletion of the temporary file and the creation of the temporary directory in `webkit` subproject of HTML/Java API version 1.7. A similar vulnerability has recently been disclosed in other Java projects and the fix in HTML/Java API version 1.7.1 follows theirs: To avoid local privilege escalation version 1.7.1 creates the temporary directory atomically without dealing with the temporary file.

Metadata

Created: 2022-02-09T22:25:18Z
Modified: 2022-05-03T19:31:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-ppc3-fpvh-7396/GHSA-ppc3-fpvh-7396.json
CWE IDs: ["CWE-362"]
Alternative ID: GHSA-ppc3-fpvh-7396
Finding: F124
Auto approve: 1