about two vulnerabilities in the automatic update delivery system for the Apache NetBeans integrated development environment, which allow replacing server-delivered updates and nbm packages. Issues have been discreetly fixed in the release .
(CVE-2019-17560) was caused by the lack of validation of SSL certificates and host name when downloading data over HTTPS, which makes it possible to silently spoof downloaded data. (CVE-2019-17561) is related to an incomplete verification of a downloaded update against a digital signature, which allows an attacker to add additional code to nbm files without violating the integrity of the package.
Source: opennet.ru