CVE-2019-10248 – org.eclipse.vorto:org.eclipse.vorto.core

Package

Manager: maven
Name: org.eclipse.vorto:org.eclipse.vorto.core
Vulnerable Version: >=0 <0.11.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00165 pctl0.38017

Details

Eclipse Vorto resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected.

Metadata

Created: 2022-05-24T16:44:08Z
Modified: 2022-11-22T19:37:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fg2q-v428-2gph/GHSA-fg2q-v428-2gph.json
CWE IDs: ["CWE-494", "CWE-669", "CWE-829"]
Alternative ID: GHSA-fg2q-v428-2gph
Finding: F164
Auto approve: 1