CVE-2019-10753

{"id": "CVE-2019-10753", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2019-09-05T20:15:11.350", "references": [{"url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-669"}]}], "descriptions": [{"lang": "en", "value": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low."}, {"lang": "es", "value": "En todas las versiones anteriores a la versi\u00f3n 3.9.6 para eclipse-wtp, todas las versiones anteriores a la versi\u00f3n 9.4.4 para eclipse-cdt, y todas las versiones anteriores a la versi\u00f3n 3.0.1 para eclipse-groovy, Spotless estaba resolviendo dependencias sobre un canal inseguro (http). Si la compilaci\u00f3n se produjo a trav\u00e9s de una conexi\u00f3n insegura, un usuario malintencionado podr\u00eda haber realizado un ataque Man-in-the-Middle durante la compilaci\u00f3n y alterar los artefactos de compilaci\u00f3n que se produjeron. En caso de que alguno de estos artefactos se vea comprometido, cualquier desarrollador que los use podr\u00eda ser alterado. **Nota:** Para validar que este artefacto no se vio comprometido, el mantenedor necesitar\u00eda confirmar que ninguno de los artefactos publicados en el registro no fue alterado. Hasta que esto suceda, no podemos garantizar que este artefacto no se vea comprometido a pesar de que la probabilidad de que esto ocurra es baja."}], "lastModified": "2019-09-06T17:20:25.690", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:diffplug:eclipse-cdt:*:*:*:*:*:spotless:*:*", "vulnerable": true, "matchCriteriaId": "CB7B7C5A-1D86-460F-A201-0BF5BA7D0FF1", "versionEndExcluding": "9.4.4"}, {"criteria": "cpe:2.3:a:diffplug:eclipse-groovy:*:*:*:*:*:spotless:*:*", "vulnerable": true, "matchCriteriaId": "67264E92-251B-42F1-9CD8-425C809EE6B8", "versionEndExcluding": "3.0.1"}, {"criteria": "cpe:2.3:a:diffplug:eclipse-wtp:*:*:*:*:*:spotless:*:*", "vulnerable": true, "matchCriteriaId": "2A313810-A3D7-4162-81AA-528E5381D24E", "versionEndExcluding": "3.9.6"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}