CVE-2020-13651

Name of the Vulnerable Software and Affected Versions DigDash versions 2018R2 before p20200528 DigDash versions 2019R1 before p20200421 DigDash versions 2019R2 before p20200430

Description An issue allows a user to provide data that will be used to generate the JNLP file used by a client to obtain the right Java application. By providing an attacker-controlled URL, the client will obtain a rogue JNLP file specifying the installation of malicious JAR archives and executed with full privileges on the client computer.

Recommendations For DigDash version 2018R2 before p20200528, update to a version after p20200528 to resolve the issue. For DigDash version 2019R1 before p20200421, update to a version after p20200421 to resolve the issue. For DigDash version 2019R2 before p20200430, update to a version after p20200430 to resolve the issue. As a temporary workaround, consider restricting access to the JNLP file generation feature until a patch is available.