Vulnerability Description
The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Netbeans | <= 11.2 |
| Oracle | Graalvm | 19.3.2 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9Mailing ListMitigationVendor Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatchThird Party Advisory
- https://lists.apache.org/thread.html/r354d7654efa1050539fe56a3257696d1faeea4f3f9Mailing ListMitigationVendor Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatchThird Party Advisory
FAQ
What is CVE-2019-17560?
CVE-2019-17560 is a vulnerability with a CVSS score of 9.1 (CRITICAL). The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the downloa...
How severe is CVE-2019-17560?
CVE-2019-17560 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-17560?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Netbeans, Oracle Graalvm.