CVE-2018-17191

Name: CVE-2018-17191
Creator: NVD / NIST
Published: 2018-12-31T14:29:00.24+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 7.75%

Last modified Jun 17, 2026

CVE-2018-17191 is a vulnerability of currently unknown severity. Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configuration (PAC) interpretation is vulnerable for remote command execution (RCE). Using the nashorn script engine the environment of the javascript execution for the Proxy Auto-Configuration leaks privileged objects, that can be used to circumvent the execution limits. EPSS estimates a 7.75% chance of exploitation in the next 30 days.

Description

Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configuration (PAC) interpretation is vulnerable for remote command execution (RCE). Using the nashorn script engine the environment of the javascript execution for the Proxy Auto-Configuration leaks privileged objects, that can be used to circumvent the execution limits. If a different script engine was used, no execution limits were in place. Both vectors allow remote code execution.

Metrics

EPSS Probability

7.75%

93.9th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions
Apache	Netbeans	9.0

References

http://www.securityfocus.com/bid/106352Third Party Advisory, VDB Entry
https://lists.apache.org/thread.html/d1c37966a316a326ab4ff4d4bc056322e8adcbe984e8145c0ecda7fa%40%3Cdev.netbeans.apache.org%3E
http://www.securityfocus.com/bid/106352Third Party Advisory, VDB Entry
https://lists.apache.org/thread.html/d1c37966a316a326ab4ff4d4bc056322e8adcbe984e8145c0ecda7fa%40%3Cdev.netbeans.apache.org%3E

Timeline

Published: Dec 31, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-17191?

How severe is CVE-2018-17191?

Severity scoring for CVE-2018-17191 is pending analysis. The EPSS model estimates a 7.75% probability of exploitation in the next 30 days.

How do I fix CVE-2018-17191?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-17191?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST