CVE-2019-10240 – org.eclipse.hawkbit:hawkbit-boot-starter

Package

Manager: maven
Name: org.eclipse.hawkbit:hawkbit-boot-starter
Vulnerable Version: >=0 <0.3.0m2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00082 pctl0.24757

Details

Cleartext Transmission of Sensitive Information, Inclusion of Functionality from Untrusted Control Sphere , and Download of Code Without Integrity Check in Eclipse hawkBit Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Metadata

Created: 2019-04-15T16:19:23Z
Modified: 2021-12-03T14:33:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-jwqm-c9f2-2cq3/GHSA-jwqm-c9f2-2cq3.json
CWE IDs: ["CWE-319", "CWE-494", "CWE-829"]
Alternative ID: GHSA-jwqm-c9f2-2cq3
Finding: F332
Auto approve: 1