ghsa-jwqm-c9f2-2cq3
Vulnerability from github
Published
2019-04-15 16:19
Modified
2021-12-03 14:33
Severity ?
VLAI Severity ?
Summary
Cleartext Transmission of Sensitive Information, Inclusion of Functionality from Untrusted Control Sphere , and Download of Code Without Integrity Check in Eclipse hawkBit
Details
Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-autoconfigure"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-starters"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-boot-starter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-update-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-boot-starter-mgmt-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-boot-starter-mgmt-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-boot-starter-dmf-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.3.0M1"
},
"package": {
"ecosystem": "Maven",
"name": "org.eclipse.hawkbit:hawkbit-boot-starter-ddi-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0M2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10240"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-494",
"CWE-829"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-03T14:33:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
"id": "GHSA-jwqm-c9f2-2cq3",
"modified": "2021-12-03T14:33:13Z",
"published": "2019-04-15T16:19:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10240"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Cleartext Transmission of Sensitive Information, Inclusion of Functionality from Untrusted Control Sphere , and Download of Code Without Integrity Check in Eclipse hawkBit "
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…