cnvd - cnvd-2020-21906

cnvd-2020-21906

Vulnerability from cnvd

Title: Apache NetBeans信任管理问题漏洞

Description:

Apache NetBeans是美国阿帕奇（Apache）软件基金会的一套软件开发平台。该平台支持Java、C语言／C++、PHP和HTML5等程序的开发

Apache NetBeans 11.2及之前版本中存在安全漏洞，该漏洞源于在通过HTTPS协议进行下载时，程序未能验证SSL证书和主机名。攻击者可利用该漏洞拦截自动更新下载并进行修改，注入恶意代码。

Severity: 中

Patch Name: Apache NetBeans信任管理问题漏洞的补丁

Patch Description:

Apache NetBeans是美国阿帕奇（Apache）软件基金会的一套软件开发平台。该平台支持Java、C语言／C++、PHP和HTML5等程序的开发

Apache NetBeans 11.2及之前版本中存在安全漏洞，该漏洞源于在通过HTTPS协议进行下载时，程序未能验证SSL证书和主机名。攻击者可利用该漏洞拦截自动更新下载并进行修改，注入恶意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E

Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-17560

Impacted products

Name
Apache NetBeans <=11.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-17560"
    }
  },
  "description": "Apache NetBeans\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u8f6f\u4ef6\u5f00\u53d1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301Java\u3001C\u8bed\u8a00\uff0fC++\u3001PHP\u548cHTML5\u7b49\u7a0b\u5e8f\u7684\u5f00\u53d1\n\nApache NetBeans 11.2\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u901a\u8fc7HTTPS\u534f\u8bae\u8fdb\u884c\u4e0b\u8f7d\u65f6\uff0c\u7a0b\u5e8f\u672a\u80fd\u9a8c\u8bc1SSL\u8bc1\u4e66\u548c\u4e3b\u673a\u540d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u62e6\u622a\u81ea\u52a8\u66f4\u65b0\u4e0b\u8f7d\u5e76\u8fdb\u884c\u4fee\u6539\uff0c\u6ce8\u5165\u6076\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-21906",
  "openTime": "2020-04-08",
  "patchDescription": "Apache NetBeans\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u8f6f\u4ef6\u5f00\u53d1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301Java\u3001C\u8bed\u8a00\uff0fC++\u3001PHP\u548cHTML5\u7b49\u7a0b\u5e8f\u7684\u5f00\u53d1\r\n\r\nApache NetBeans 11.2\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u901a\u8fc7HTTPS\u534f\u8bae\u8fdb\u884c\u4e0b\u8f7d\u65f6\uff0c\u7a0b\u5e8f\u672a\u80fd\u9a8c\u8bc1SSL\u8bc1\u4e66\u548c\u4e3b\u673a\u540d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u62e6\u622a\u81ea\u52a8\u66f4\u65b0\u4e0b\u8f7d\u5e76\u8fdb\u884c\u4fee\u6539\uff0c\u6ce8\u5165\u6076\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache NetBeans\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache NetBeans \u003c=11.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-17560",
  "serverity": "\u4e2d",
  "submitTime": "2020-03-31",
  "title": "Apache NetBeans\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2019-17560 (GCVE-0-2019-17560)

Vulnerability from cvelistv5

Published

2020-03-30 18:39

Modified

2024-08-05 01:40

Severity ?

CWE

Improper Certificate Validation

Summary

The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.

References

▼	URL	Tags
	https://www.oracle.com/security-alerts/cpujul2020.html	x_refsource_MISC
	https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Apache NetBeans	Version: through 11.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:40:15.835Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache NetBeans",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "through 11.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The \"Apache NetBeans\" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. \u201cApache NetBeans\" versions up to and including 11.2 are affected by this vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Certificate Validation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-07-15T02:23:03",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2019-17560",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache NetBeans",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "through 11.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The \"Apache NetBeans\" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. \u201cApache NetBeans\" versions up to and including 11.2 are affected by this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Certificate Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9b633c29ec89609%40%3Cdev.netbeans.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2019-17560",
    "datePublished": "2020-03-30T18:39:41",
    "dateReserved": "2019-10-14T00:00:00",
    "dateUpdated": "2024-08-05T01:40:15.835Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted