CVE-2020-17534

Опубликовано: 11 янв. 2021

Источник: nvd

CVSS3: 7

CVSS2: 4.4

EPSS Низкий

Описание

There exists a race condition between the deletion of the temporary file and the creation of the temporary directory in webkit subproject of HTML/Java API version 1.7. A similar vulnerability has recently been disclosed in other Java projects and the fix in HTML/Java API version 1.7.1 follows theirs: To avoid local privilege escalation version 1.7.1 creates the temporary directory atomically without dealing with the temporary file: https://github.com/apache/netbeans-html4j/commit/fa70e507e5555e1adb4f6518479fc408a7abd0e6

Ссылки

https://lists.apache.org/thread.html/ra6119c0cdfccf051a846fa11b61364f5df9e7db93c310706a947f86a%40%3Cdev.netbeans.apache.org%3E
Mailing List
Vendor Advisory
https://lists.apache.org/thread.html/ra6119c0cdfccf051a846fa11b61364f5df9e7db93c310706a947f86a%40%3Cdev.netbeans.apache.org%3E
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:html\/java_api:1.7:*:*:*:*:*:*:*

EPSS

Процентиль: 21%

0.00068

Низкий

7 High

CVSS3

4.4 Medium

CVSS2

Дефекты

CWE-362

Связанные уязвимости

CVE-2020-17534

CVSS3: 7

ubuntu

около 5 лет назад

There exists a race condition between the deletion of the temporary file and the creation of the temporary directory in `webkit` subproject of HTML/Java API version 1.7. A similar vulnerability has recently been disclosed in other Java projects and the fix in HTML/Java API version 1.7.1 follows theirs: To avoid local privilege escalation version 1.7.1 creates the temporary directory atomically without dealing with the temporary file: https://github.com/apache/netbeans-html4j/commit/fa70e507e5555e1adb4f6518479fc408a7abd0e6

GHSA-ppc3-fpvh-7396

CVSS3: 7

github

почти 4 года назад

Improper synchronization in Apache Netbeans HTML/Java API

EPSS

Процентиль: 21%

0.00068

Низкий

7 High

CVSS3

4.4 Medium

CVSS2

Дефекты

CWE-362