Login Sign Up

CVE-2020-17534

7.0 HIGH

📋 TL;DR

CVE-2020-17534 is a race condition vulnerability in the webkit subproject of Apache NetBeans HTML/Java API that could allow local privilege escalation. An attacker could exploit the timing issue between temporary file deletion and directory creation to gain elevated privileges. This affects users running vulnerable versions of Apache NetBeans HTML/Java API.

💻 Affected Systems

Products:
  • Apache NetBeans HTML/Java API
Versions: Version 1.7 only
Operating Systems: All operating systems running vulnerable software
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the webkit subproject within HTML/Java API version 1.7.

📦 What is this software?

Html\/java Api by Apache

View all CVEs affecting Html\/java Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root/admin privileges on the system, potentially leading to complete system compromise.

🟠

Likely Case

Local user escalates privileges to execute arbitrary code with higher permissions than intended.

🟢

If Mitigated

Attack fails due to proper access controls and patched software, with minimal impact.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.
🏢 Internal Only: MEDIUM - Internal users with local access could exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and precise timing to trigger the race condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.7.1

Vendor Advisory: https://lists.apache.org/thread.html/ra6119c0cdfccf051a846fa11b61364f5df9e7db93c310706a947f86a%40%3Cdev.netbeans.apache.org%3E

Restart Required: Yes

Instructions:

1. Download Apache NetBeans HTML/Java API version 1.7.1 from official sources. 2. Replace the vulnerable version 1.7 with the patched version. 3. Restart any applications using the HTML/Java API.

🔧 Temporary Workarounds

Restrict local access

all

Limit local user access to systems running vulnerable software

Use principle of least privilege

all

Ensure users run with minimal necessary privileges to reduce impact

🧯 If You Can't Patch

  • Restrict local user access to affected systems
  • Monitor for suspicious privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Apache NetBeans HTML/Java API version 1.7 is installed on the system

Check Version:

Check application documentation or package manager for installed version of netbeans-html4j

Verify Fix Applied:

Verify that version 1.7.1 or later is installed and the webkit subproject has been updated

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation events
  • Failed attempts to access temporary directories with timing patterns

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Search for privilege escalation events or failed file/directory access attempts with timing patterns

📊 Metadata

CVE ID: CVE-2020-17534
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-362
Published: January 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17534, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)