CVE-2020-5529
HIGHHtmlUnit < 2.37.0 - Remote Code Execution via Improper Rhino Engine Initialization
Title source: llmDescription
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
References (5)
Core 5
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0
Third Party Advisory third-party-advisory
x_refsource_jvn
https://jvn.jp/en/jp/JVN34535327/
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4584-1/
Scores
CVSS v3
8.1
EPSS
0.0460
EPSS Percentile
90.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-665
CWE-94
Status
published
Products (5)
apache/camel
canonical/ubuntu_linux
16.04
debian/debian_linux
9.0
htmlunit/htmlunit
< 2.37.0
net.sourceforge.htmlunit/htmlunit
0 - 2.37.0Maven
Published
Feb 11, 2020
Tracked Since
Feb 18, 2026