CVE-2019-10240

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

CVSS v3 8.1 HIGH
CVSS v2.0 6.8 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:eclipse:hawkbit::::::::
	cpe:2.3:a:eclipse:hawkbit:0.3.0:m1::::::

History

28 Oct 2021, 13:54

Type	Values Removed	Values Added
CWE	~~CWE-310~~	CWE-319

Information

Published : 2019-04-03 18:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-10240

Mitre link : CVE-2019-10240

CVE.ORG link : CVE-2019-10240

JSON object : View

Products Affected

eclipse

hawkbit

CWE

CWE-319

Cleartext Transmission of Sensitive Information

CWE-494

Download of Code Without Integrity Check

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

{"id": "CVE-2019-10240", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2019-04-03T18:29:17.503", "references": [{"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}, {"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-494"}, {"lang": "en", "value": "CWE-829"}]}], "descriptions": [{"lang": "en", "value": "Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected."}, {"lang": "es", "value": "Eclipse hawkBit, en versiones anteriores a la 0.3.0M2, resolv\u00eda los artefactos de construcci\u00f3n en Maven para la interfaz de usuario basada en Vaadin mediante HTTP en lugar de HTTPS. Cualquiera de estos artefactos dependientes podr\u00eda haber sido comprometidos maliciosamente por un ataque Man-in-the-Middle (MitM). Por lo tanto, los artefactos de construcci\u00f3n producidos en hawkBit podr\u00edan infectarse."}], "lastModified": "2021-10-28T13:54:32.677", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:hawkbit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AECE2400-B719-4F2D-A67B-2C75E2686EBB", "versionEndIncluding": "0.2.5"}, {"criteria": "cpe:2.3:a:eclipse:hawkbit:0.3.0:m1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26D9B47F-213F-4994-ACDF-BE1964155B12"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}