Remote Command Execution in Apache NetBeans Proxy Auto-Configuration
CVE-2018-17191

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Netbeans
Vendor: CVE Published:; 31 December 2018

Summary

Apache NetBeans (incubating) version 9.0 is susceptible to a remote command execution vulnerability due to improper handling of the Proxy Auto-Configuration (PAC) interpretation. The use of the nashorn script engine enables the environment of the JavaScript execution to leak privileged objects, which can be exploited to bypass preset execution limits. Should a different script engine be utilized, the absence of execution restrictions further exacerbates the risk, allowing for remote code execution through both vectors.

Affected Version(s)

Apache NetBeans 9.0 incubating

References

https://lists.apache.org/thread.html/d1c37966a316a326ab4f...

x_refsource_MISC

http://www.securityfocus.com/bid/106352

vdb-entryx_refsource_BID

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 31, 2018
Vulnerability Reserved
Sep 19, 2018