CVE-2019-17560
Improper Certificate Validation in Apache Netbeans
9.1
CRITICAL
CVSS 3.1
EPSS 1.6%
Description
The "Apache NetBeans" autoupdate system does not validate SSL certificates and hostnames for https based downloads. This allows an attacker to intercept downloads of autoupdates and modify the download, potentially injecting malicious code. “Apache NetBeans" versions up to and including 11.2 are affected by this vulnerability.
How to fix CVE-2019-17560
To remediate CVE-2019-17560, upgrade the affected package to a fixed version below.
- —upgrade to 12.1-1 or later
- —no fix listed
Is CVE-2019-17560 being exploited?
Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 12.1-1
- from 0, <= 3.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |