Vulnerability-Lookup

CVE-2019-10240 (GCVE-0-2019-10240)

Vulnerability from cvelistv5 – Published: 2019-04-03 18:04 – Updated: 2024-08-04 22:17

Summary

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Severity ?

No CVSS data available.

CWE

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
CWE-494 - Download of Code Without Integrity Check

Assigner

eclipse

References

URL

	Vendor	Product	Version
	The Eclipse Foundation	Eclipse hawkBit	Affected: unspecified , < 0.3.0M2 (custom)

GHSA-JWQM-C9F2-2CQ3

Vulnerability from github – Published: 2019-04-15 16:19 – Updated: 2021-12-03 14:33

Summary

Cleartext Transmission of Sensitive Information, Inclusion of Functionality from Untrusted Control Sphere , and Download of Code Without Integrity Check in Eclipse hawkBit

Details

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-autoconfigure"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-starters"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-boot-starter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-update-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-boot-starter-mgmt-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-boot-starter-mgmt-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-boot-starter-dmf-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3.0M1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.hawkbit:hawkbit-boot-starter-ddi-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0M2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10240"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-494",
      "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-03T14:33:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
  "id": "GHSA-jwqm-c9f2-2cq3",
  "modified": "2021-12-03T14:33:13Z",
  "published": "2019-04-15T16:19:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10240"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cleartext Transmission of Sensitive Information, Inclusion of Functionality from Untrusted Control Sphere , and Download of Code Without Integrity Check in Eclipse hawkBit "
}

GSD-2019-10240

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-10240

Aliases

CVE-2019-10240

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-10240",
    "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
    "id": "GSD-2019-10240"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-10240"
      ],
      "details": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
      "id": "GSD-2019-10240",
      "modified": "2023-12-13T01:23:59.076303Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@eclipse.org",
        "ID": "CVE-2019-10240",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Eclipse hawkBit",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "0.3.0M2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "The Eclipse Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-494: Download of Code Without Integrity Check"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053",
            "refsource": "CONFIRM",
            "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0m1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-319",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "GHSA-jwqm-c9f2-2cq3",
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions after 0.3.0m1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-autoconfigure",
          "pubdate": "2019-04-15",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
          ],
          "uuid": "336bf28a-74a2-488a-98f7-e3cf81760168"
        },
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0m1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-319",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "GHSA-jwqm-c9f2-2cq3",
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions after 0.3.0m1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-boot-starter-ddi-api",
          "pubdate": "2019-04-15",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
          ],
          "uuid": "74a1950a-8cb0-4041-9c1f-df594a25e9af"
        },
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0m1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-319",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "GHSA-jwqm-c9f2-2cq3",
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions after 0.3.0m1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-boot-starter-dmf-api",
          "pubdate": "2019-04-15",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
          ],
          "uuid": "a367b389-06fc-4e85-ad40-043f4f071001"
        },
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0m1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-319",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "GHSA-jwqm-c9f2-2cq3",
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions after 0.3.0m1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-boot-starter-mgmt-api",
          "pubdate": "2019-04-15",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
          ],
          "uuid": "68b5f4ff-55bf-42cb-86c7-b62abd19ce9f"
        },
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0m1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-319",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "GHSA-jwqm-c9f2-2cq3",
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions after 0.3.0m1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-boot-starter-mgmt-ui",
          "pubdate": "2019-04-15",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
          ],
          "uuid": "af3aeb05-45f9-452c-90d7-270b955d5db5"
        },
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0m1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-319",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "GHSA-jwqm-c9f2-2cq3",
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions after 0.3.0m1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-boot-starter",
          "pubdate": "2019-04-15",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
          ],
          "uuid": "fbaa5942-7cf2-4395-92fc-092c7e239841"
        },
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0M1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-310",
            "CWE-937"
          ],
          "date": "2019-10-09",
          "description": "Eclipse hawkBit resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions before 0.3.0M1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-parent",
          "pubdate": "2019-04-03",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Man in the Middle",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053"
          ],
          "uuid": "16453bc9-6143-4a92-9097-bd2a2acff386"
        },
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0m1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-319",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "GHSA-jwqm-c9f2-2cq3",
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions after 0.3.0m1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-starters",
          "pubdate": "2019-04-15",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
          ],
          "uuid": "d1673024-cd2d-47dc-b14b-a5b7e151466f"
        },
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0m1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-319",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "GHSA-jwqm-c9f2-2cq3",
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions after 0.3.0m1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-ui",
          "pubdate": "2019-04-15",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
          ],
          "uuid": "7fbf0332-9d67-4ccc-84d9-7e8307fc9c96"
        },
        {
          "affected_range": "(,0.3.0M1]",
          "affected_versions": "All versions up to 0.3.0m1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-319",
            "CWE-937"
          ],
          "date": "2021-12-03",
          "description": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.",
          "fixed_versions": [
            "0.3.0M2"
          ],
          "identifier": "CVE-2019-10240",
          "identifiers": [
            "GHSA-jwqm-c9f2-2cq3",
            "CVE-2019-10240"
          ],
          "not_impacted": "All versions after 0.3.0m1",
          "package_slug": "maven/org.eclipse.hawkbit/hawkbit-update-server",
          "pubdate": "2019-04-15",
          "solution": "Upgrade to version 0.3.0M2 or above.",
          "title": "Cleartext Transmission of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10240",
            "https://github.com/advisories/GHSA-jwqm-c9f2-2cq3"
          ],
          "uuid": "32f4d2cb-2183-4234-9b80-7c7e1aba30b1"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:hawkbit:0.3.0:m1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:eclipse:hawkbit:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.2.5",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@eclipse.org",
          "ID": "CVE-2019-10240"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-319"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Vendor Advisory"
              ],
              "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-10-28T13:54Z",
      "publishedDate": "2019-04-03T18:29Z"
    }
  }
}

FKIE_CVE-2019-10240

Vulnerability from fkie_nvd - Published: 2019-04-03 18:29 - Updated: 2024-11-21 04:18

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	emo@eclipse.org	https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053	Exploit, Issue Tracking, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053	Exploit, Issue Tracking, Vendor Advisory

Impacted products

	Vendor	Product	Version
	eclipse	hawkbit	*
	eclipse	hawkbit	0.3.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:eclipse:hawkbit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AECE2400-B719-4F2D-A67B-2C75E2686EBB",
              "versionEndIncluding": "0.2.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:eclipse:hawkbit:0.3.0:m1:*:*:*:*:*:*",
              "matchCriteriaId": "26D9B47F-213F-4994-ACDF-BE1964155B12",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected."
    },
    {
      "lang": "es",
      "value": "Eclipse hawkBit, en versiones anteriores a la 0.3.0M2, resolv\u00eda los artefactos de construcci\u00f3n en Maven para la interfaz de usuario basada en Vaadin mediante HTTP en lugar de HTTPS. Cualquiera de estos artefactos dependientes podr\u00eda haber sido comprometidos maliciosamente por un ataque Man-in-the-Middle (MitM). Por lo tanto, los artefactos de construcci\u00f3n producidos en hawkBit podr\u00edan infectarse."
    }
  ],
  "id": "CVE-2019-10240",
  "lastModified": "2024-11-21T04:18:43.300",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-04-03T18:29:17.503",
  "references": [
    {
      "source": "emo@eclipse.org",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053"
    }
  ],
  "sourceIdentifier": "emo@eclipse.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-494"
        },
        {
          "lang": "en",
          "value": "CWE-829"
        }
      ],
      "source": "emo@eclipse.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-10240 (GCVE-0-2019-10240)

GHSA-JWQM-C9F2-2CQ3

GSD-2019-10240

FKIE_CVE-2019-10240

Tags

Sightings

Nomenclature