CVE-2020-5529 — HIGH (8.1) — White Hats Nepal

Q: How severe is CVE-2020-5529?

CVE-2020-5529 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-5529?

Check the references section above for vendor advisories and patch information. Affected products include: Htmlunit Htmlunit, Debian Debian Linux, Canonical Ubuntu Linux, Apache Camel.

Vulnerability Description

HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Htmlunit	Htmlunit	< 2.37.0
Debian	Debian Linux	9.0
Canonical	Ubuntu Linux	16.04
Apache	Camel	-

Related Weaknesses (CWE)

CWE-94 CWE-665

References

https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0Release NotesThird Party Advisory
https://jvn.jp/en/jp/JVN34535327/Third Party Advisory
https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f23
https://lists.debian.org/debian-lts-announce/2020/08/msg00023.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/4584-1/Third Party Advisory
https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0Release NotesThird Party Advisory
https://jvn.jp/en/jp/JVN34535327/Third Party Advisory
https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f23
https://lists.debian.org/debian-lts-announce/2020/08/msg00023.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/4584-1/Third Party Advisory

FAQ

What is CVE-2020-5529?

CVE-2020-5529 is a vulnerability with a CVSS score of 8.1 (HIGH). HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Mor...

How severe is CVE-2020-5529?

CVE-2020-5529 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-5529?

Check the references section above for vendor advisories and patch information. Affected products include: Htmlunit Htmlunit, Debian Debian Linux, Canonical Ubuntu Linux, Apache Camel.