CVE-2019-17561 - OpenCVE

The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Netbeans
Oracle	Graalvm

Configuration 1 [-]

cpe:2.3:a:apache:netbeans:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:graalvm:19.3.2::::enterprise:::
	cpe:2.3:a:oracle:graalvm:20.1.0::::enterprise:::

References

Link	Resource
https://lists.apache.org/thread.html/rb218aa720fc525f63d91761fbf67854f454ce7a697dbbee2001ae8b1%40%3Cdev.netbeans.apache.org%3E	Mailing List Mitigation Vendor Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2020-03-30T18:44:42

Updated: 2020-07-15T02:23:03

Reserved: 2019-10-14T00:00:00

Link: CVE-2019-17561

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-03-30T19:15:15.797

Modified: 2022-04-27T15:14:13.030

Link: CVE-2019-17561

JSON object: View

Redhat Information

No data.

CWE

CWE-347

{"containers": {"cna": {"affected": [{"product": "Apache NetBeans", "vendor": "n/a", "versions": [{"status": "affected", "version": "through 11.2"}]}], "descriptions": [{"lang": "en", "value": "The \"Apache NetBeans\" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. \"Apache NetBeans\" versions up to and including 11.2 are affected by this vulnerability."}], "problemTypes": [{"descriptions": [{"description": "Improper Validation of Integrity Check Value", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-15T02:23:03", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/rb218aa720fc525f63d91761fbf67854f454ce7a697dbbee2001ae8b1%40%3Cdev.netbeans.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-17561", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache NetBeans", "version": {"version_data": [{"version_value": "through 11.2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The \"Apache NetBeans\" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. \"Apache NetBeans\" versions up to and including 11.2 are affected by this vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Validation of Integrity Check Value"}]}]}, "references": {"reference_data": [{"name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"name": "https://lists.apache.org/thread.html/rb218aa720fc525f63d91761fbf67854f454ce7a697dbbee2001ae8b1%40%3Cdev.netbeans.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rb218aa720fc525f63d91761fbf67854f454ce7a697dbbee2001ae8b1%40%3Cdev.netbeans.apache.org%3E"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-17561", "datePublished": "2020-03-30T18:44:42", "dateReserved": "2019-10-14T00:00:00", "dateUpdated": "2020-07-15T02:23:03", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:netbeans:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B1C4DC9-9FF2-4BAB-BCD4-6D6CC4472EE8", "versionEndIncluding": "11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:19.3.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "909B4029-1D4F-4D60-AC6D-98C7E9FF1B15", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:20.1.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B501426C-7FB5-4C0D-83E4-0279746EFBE8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The \"Apache NetBeans\" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. \"Apache NetBeans\" versions up to and including 11.2 are affected by this vulnerability."}, {"lang": "es", "value": "El sistema de actualizaci\u00f3n autom\u00e1tica de \"Apache NetBeans\" no comprueba completamente las firmas de c\u00f3digo. Un atacante podr\u00eda modificar el nbm descargado e incluir un c\u00f3digo adicional. \"Apache NetBeans\" versiones hasta 11.2 incluy\u00e9ndola est\u00e1n afectadas por esta vulnerabilidad."}], "id": "CVE-2019-17561", "lastModified": "2022-04-27T15:14:13.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-30T19:15:15.797", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Mitigation", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/rb218aa720fc525f63d91761fbf67854f454ce7a697dbbee2001ae8b1%40%3Cdev.netbeans.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}