Description

Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546622

Related Vulnerabilities

CVE-2022-31186 Vulnerability in npm package next-auth

CVE-2021-32696 Vulnerability in npm package striptags

CVE-2019-10744 Vulnerability in maven package org.fujion.webjars:lodash

CVE-2021-42357 Vulnerability in maven package org.apache.knox:gateway-service-knoxsso

CVE-2017-12621 Vulnerability in maven package commons-jelly:commons-jelly

Severity

Critical

Classification

CWE-669 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory