Vulnerability Details CVE-2020-5529
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.016
EPSS Ranking 81.3%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
References
- https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0
- https://jvn.jp/en/jp/JVN34535327/
- https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html
- https://usn.ubuntu.com/4584-1/
- https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0
- https://jvn.jp/en/jp/JVN34535327/
- https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html
- https://usn.ubuntu.com/4584-1/
Products affected by CVE-2020-5529
-
cpe:2.3:a:apache:camel:-
-
cpe:2.3:a:htmlunit:htmlunit:-
-
cpe:2.3:a:htmlunit:htmlunit:2.0
-
cpe:2.3:a:htmlunit:htmlunit:2.1
-
cpe:2.3:a:htmlunit:htmlunit:2.10
-
cpe:2.3:a:htmlunit:htmlunit:2.11
-
cpe:2.3:a:htmlunit:htmlunit:2.12
-
cpe:2.3:a:htmlunit:htmlunit:2.13
-
cpe:2.3:a:htmlunit:htmlunit:2.14
-
cpe:2.3:a:htmlunit:htmlunit:2.15
-
cpe:2.3:a:htmlunit:htmlunit:2.16
-
cpe:2.3:a:htmlunit:htmlunit:2.17
-
cpe:2.3:a:htmlunit:htmlunit:2.18
-
cpe:2.3:a:htmlunit:htmlunit:2.19
-
cpe:2.3:a:htmlunit:htmlunit:2.2
-
cpe:2.3:a:htmlunit:htmlunit:2.20
-
cpe:2.3:a:htmlunit:htmlunit:2.21
-
cpe:2.3:a:htmlunit:htmlunit:2.22
-
cpe:2.3:a:htmlunit:htmlunit:2.23
-
cpe:2.3:a:htmlunit:htmlunit:2.24
-
cpe:2.3:a:htmlunit:htmlunit:2.25
-
cpe:2.3:a:htmlunit:htmlunit:2.26
-
cpe:2.3:a:htmlunit:htmlunit:2.27
-
cpe:2.3:a:htmlunit:htmlunit:2.28
-
cpe:2.3:a:htmlunit:htmlunit:2.29
-
cpe:2.3:a:htmlunit:htmlunit:2.3
-
cpe:2.3:a:htmlunit:htmlunit:2.30
-
cpe:2.3:a:htmlunit:htmlunit:2.31
-
cpe:2.3:a:htmlunit:htmlunit:2.32
-
cpe:2.3:a:htmlunit:htmlunit:2.33
-
cpe:2.3:a:htmlunit:htmlunit:2.34.0
-
cpe:2.3:a:htmlunit:htmlunit:2.34.1
-
cpe:2.3:a:htmlunit:htmlunit:2.35.0
-
cpe:2.3:a:htmlunit:htmlunit:2.36.0
-
cpe:2.3:a:htmlunit:htmlunit:2.4
-
cpe:2.3:a:htmlunit:htmlunit:2.5
-
cpe:2.3:a:htmlunit:htmlunit:2.6
-
cpe:2.3:a:htmlunit:htmlunit:2.7
-
cpe:2.3:a:htmlunit:htmlunit:2.8
-
cpe:2.3:a:htmlunit:htmlunit:2.9
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:debian:debian_linux:9.0