CVE-2020-5529: 
Java vulnerability analysis and mitigation

HtmlUnit prior to version 2.37.0 contained a code execution vulnerability (CVE-2020-5529). The vulnerability was discovered in early 2020 and disclosed on February 10, 2020. HtmlUnit, a Java-based library providing web browser functionality to Java programs, improperly initialized the Mozilla Rhino engine, which could allow malicious JavaScript code execution (JVN Report).

The vulnerability stems from improper initialization of the Mozilla Rhino engine in HtmlUnit. The Rhino engine offers functionality to make Java objects available from JavaScript, but due to incorrect initialization, malicious JavaScript code could execute arbitrary Java code on the application (CWE-284). Additionally, when embedded in Android applications, Android-specific initialization of the Rhino engine was done improperly, creating another vector for arbitrary code execution. The vulnerability has been assigned a CVSS v3.0 base score of 5.6 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) (JVN Report).

An attacker could potentially execute arbitrary Java code on the target application through man-in-the-middle attacks or other methods that lead to the evaluation of malicious JavaScript code. This could result in unauthorized access to system resources and potential system compromise (JVN Report).

The vulnerability was fixed in HtmlUnit version 2.37.0. Users are advised to update to this version or later to mitigate the risk. Various Linux distributions have also released security updates to address this vulnerability, including Ubuntu 16.04 ESM (libhtmlunit-java - 2.8-1ubuntu2.1) and Debian 9 stretch (version 2.8-2+deb9u1) (Ubuntu Notice, Debian LTS).