CVE-ID ------ CVE-2019-17561 Summary ------- The "Apache NetBeans" autoupdate system does not fully validate code signatures.
Versions Affected: ------------------ - All Apache NetBeans versions up to and including 11.2 - NetBeans releases before the Apache transition started may be also affected Description: ------------ The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. Mitigation: ----------- - Disable autoupdates - Install only plugins from trusted sources and validate the downloads by checking signatures and/or comparing checksums from trusted sources - Update to NetBeans 11.3 by downloading the release, verifying the signature and manually installing it Credit: ------- The investigation was triggered by a proof-of-concept submitted by Emilian Bold --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
