Vulnerability Details : CVE-2020-5529
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
Products affected by CVE-2020-5529
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:camel:-:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:a:htmlunit:htmlunit:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-5529
0.56%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-5529
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-10-15 |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2020-5529
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
-
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-5529
-
https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0
Release HtmlUnit-2.37.0 · HtmlUnit/htmlunit · GitHubRelease Notes;Third Party Advisory
-
https://usn.ubuntu.com/4584-1/
USN-4584-1: HtmlUnit vulnerability | Ubuntu security notices | UbuntuThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html
[SECURITY] [DLA 2326-1] htmlunit security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E
[camel] branch camel-2.25.x updated: Updating htmlunit due to CVE-2020-5529-Apache Mail Archives
-
https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563@%3Ccommits.camel.apache.org%3E
[camel] branch camel-2.25.x updated: Updating htmlunit due to CVE-2020-5529 - Pony MailMailing List;Patch;Third Party Advisory
-
https://jvn.jp/en/jp/JVN34535327/
JVN#34535327: HtmlUnit vulenerable to arbitrary code executionThird Party Advisory
Jump to