Ubuntu.comUB:CVE-2020-11986CVE-2020-11986
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
65.5%
To be able to analyze gradle projects, the build scripts need to be
executed. Apache NetBeans follows this pattern. This causes the code of the
build script to be invoked at load time of the project. Apache NetBeans up
to and including 12.0 did not request consent from the user for the
analysis of the project at load time. This in turn will run potentially
malicious code, from an external source, without the consent of the user.
References
launchpad.net/bugs/cve/CVE-2020-11986
lists.apache.org/thread.html/rbb8ea1b684e73107a0a6a30245ad6112bec2e6e171368c808e69217e%40%3Cannounce.netbeans.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2020-11986
security-tracker.debian.org/tracker/CVE-2020-11986
www.cve.org/CVERecord?id=CVE-2020-11986
www.openwall.com/lists/oss-security/2020/09/07/2
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
65.5%