CVE-ID ------ CVE-2019-17561 Summary ------- The "Apache NetBeans" autoupdate system does not fully validate code signatures.
Versions Affected: ------------------ - All Apache NetBeans versions up to and including 11.2 - NetBeans releases before the Apache transition started may be also affected Description: ------------ The "Apache NetBeans" autoupdate system does not fully validate code signatures. An attacker could modify the downloaded nbm and include additional code. Mitigation: ----------- - Disable autoupdates - Install only plugins from trusted sources and validate the downloads by checking signatures and/or comparing checksums from trusted sources - Update to NetBeans 11.3 by downloading the release, verifying the signature and manually installing it Credit: ------- The investigation was triggered by a proof-of-concept submitted by Emilian Bold
signature.asc
Description: This is a digitally signed message part
