CVE-2019-10240

Published: Apr 3, 2019Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Affected (2)

Products: Eclipse: Hawkbit

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Eclipse Hawkbit	Up to 0.2.5
Eclipse Hawkbit	Version 0.3.0 m1

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References (2)

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053

Source: emo@eclipse.org

ExploitIssue TrackingVendor Advisory

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingVendor Advisory

Timeline

No history available yet.