CVE-2018-17191

Name of the Vulnerable Software and Affected Versions: Apache NetBeans versions 9.0

Description: The issue is related to the Proxy Auto-Configuration (PAC) file in the Apache NetBeans development environment, which fails to neutralize script code in attributes on a web page. This can allow a remote attacker to execute arbitrary code. The vulnerability is exploited through the nashorn script engine, which leaks privileged objects that can be used to circumvent execution limits. Alternatively, using a different script engine can also lead to remote code execution, as no execution limits are in place.

Recommendations: For Apache NetBeans version 9.0, consider disabling the nashorn script engine or restricting its use to minimize the risk of exploitation until a patch is available. Additionally, avoid using the Proxy Auto-Configuration (PAC) interpretation feature in the NetBeans environment until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.