CVE-2019-17560 - OpenCVE

The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Netbeans
Oracle	Graalvm

Configuration 1 [-]

cpe:2.3:a:apache:netbeans:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:graalvm:19.3.2::::enterprise:::
	cpe:2.3:a:oracle:graalvm:20.1.0::::enterprise:::

References

Link	Resource
https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E	Mailing List Mitigation Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2020-03-30T18:39:41

Updated: 2020-07-15T02:23:03

Reserved: 2019-10-14T00:00:00

Link: CVE-2019-17560

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-03-30T19:15:15.733

Modified: 2023-01-27T18:31:49.983

Link: CVE-2019-17560

JSON object: View

Redhat Information

No data.

CWE

CWE-295

{"containers": {"cna": {"affected": [{"product": "Apache NetBeans", "vendor": "n/a", "versions": [{"status": "affected", "version": "through 11.2"}]}], "descriptions": [{"lang": "en", "value": "The \"Apache NetBeans\" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. \u201cApache NetBeans\" versions up to and including 11.2 are affected by this vulnerability."}], "problemTypes": [{"descriptions": [{"description": "Improper Certificate Validation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-15T02:23:03", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-17560", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache NetBeans", "version": {"version_data": [{"version_value": "through 11.2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The \"Apache NetBeans\" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. \u201cApache NetBeans\" versions up to and including 11.2 are affected by this vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Certificate Validation"}]}]}, "references": {"reference_data": [{"name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"name": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-17560", "datePublished": "2020-03-30T18:39:41", "dateReserved": "2019-10-14T00:00:00", "dateUpdated": "2020-07-15T02:23:03", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:netbeans:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B1C4DC9-9FF2-4BAB-BCD4-6D6CC4472EE8", "versionEndIncluding": "11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:19.3.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "909B4029-1D4F-4D60-AC6D-98C7E9FF1B15", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:20.1.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B501426C-7FB5-4C0D-83E4-0279746EFBE8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The \"Apache NetBeans\" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. \u201cApache NetBeans\" versions up to and including 11.2 are affected by this vulnerability."}, {"lang": "es", "value": "El sistema de actualizaci\u00f3n autom\u00e1tica de \"Apache NetBeans\" no comprueba los certificados SSL y los nombres de host para descargas basadas en https. Esto permite a un atacante interceptar descargas de actualizaciones autom\u00e1ticas y modificar la descarga, inyectando potencialmente c\u00f3digo malicioso. \"Apache NetBeans\" versiones hasta 11.2 incluy\u00e9ndola est\u00e1n afectadas por esta vulnerabilidad."}], "id": "CVE-2019-17560", "lastModified": "2023-01-27T18:31:49.983", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-30T19:15:15.733", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}