Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 07 Sep 2020 16:28:14 +0200
From: Matthias Bläsing <mblaesing@...pel-helix.eu>
To: oss-security@...ts.openwall.com
Subject: [CVE-2020-11986] Opening a Gradle project with Apache NetBeans
 executes foreign script immediately

CVE-ID
------
CVE-2020-11986

Summary
-------
Opening a Gradle project with Apache NetBeans executes foreign script
immediately

Versions Affected: 
------------------
- All Apache NetBeans versions up to and including 12.0
- NetBeans releases before the Apache transition started may be
  also affected

Description:
------------
To be able to analyse a gradle project, the build script needs to be
executed.
Apache NetBeans follows this pattern and does not allow the user to
intercept/prevent the execution.

Mitigation:
-----------
- Only open trusted gradle projects with NetBeans
- Update to NetBeans 12.0-u1

Credit:
-------
The problem was identified by Emilian Bold

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.