CVE-2020-17534 — Improper synchronization in Apache Netbeans HTML/Java API

Description

There exists a race condition between the deletion of the temporary file and the creation of the temporary directory in `webkit` subproject of HTML/Java API version 1.7. A similar vulnerability has recently been disclosed in other Java projects and the fix in HTML/Java API version 1.7.1 follows theirs: To avoid local privilege escalation version 1.7.1 creates the temporary directory atomically without dealing with the temporary file.

How to fix CVE-2020-17534

To remediate CVE-2020-17534, upgrade the affected package to a fixed version below.

—upgrade to 1.7.1 or later

Is CVE-2020-17534 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.7.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.0	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-17534
WEBgithub.com/apache/netbeans-html4j/commit/fa70e507e5555e1adb4f6518479fc408a7abd0e6
WEBlists.apache.org/thread.html/ra6119c0cdfccf051a846fa11b61364f5df9e7db93c310706a947f86a%40%3Cdev.netbeans.apache.org%3E