GHSA-cf8q-j9h3-7237

Source

https://github.com/advisories/GHSA-cf8q-j9h3-7237

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cf8q-j9h3-7237/GHSA-cf8q-j9h3-7237.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cf8q-j9h3-7237

Aliases

CVE-2019-17561

Published

2022-05-24T17:12:56Z

Modified

2023-11-08T04:01:24.373895Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Improper Verification of Cryptographic Signature in Apache Netbeans

Details

The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. "Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability. NetBeans releases before the Apache transition started may also be affected.

Database specific

{
    "nvd_published_at": "2020-03-30T19:15:00Z",
    "github_reviewed_at": "2022-11-14T22:25:56Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-347"
    ]
}

References

Affected packages

Maven / org.codehaus.mevenide:netbeans

Package

Name: org.codehaus.mevenide:netbeans; View open source insights on deps.dev
Purl: pkg:maven/org.codehaus.mevenide/netbeans

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.1.4

Affected versions

1.*

1.2

1.3

1.4

3.*

3.0.9

3.0.10

3.0.12

3.1.1

3.1.4