====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN515
_____________________________________________________________________

DATE                : 15/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache NetBeans versions prior to
                                         12.0-u1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/netbeans-announce/202009.mbox/%3cc15baff26306ad9810ca62b9cc2718303e5d8672.camel@apache.org%3e
_____________________________________________________________________

CVE-ID
------
CVE-2020-11986

Summary
-------
Opening a Gradle project with Apache NetBeans executes foreign script
immediately

Versions Affected:
------------------
- All Apache NetBeans versions up to and including 12.0
- NetBeans releases before the Apache transition started may be
  also affected

Description:
------------
To be able to analyse a gradle project, the build script needs to be
executed.
Apache NetBeans follows this pattern and does not allow the user to
intercept/prevent the execution.

Mitigation:
-----------
- Only open trusted gradle projects with NetBeans
- Update to NetBeans 12.0-u1

Credit:
-------
The problem was identified by Emilian Bold



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================