Description

Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546622

Related Vulnerabilities

CVE-2022-25912 Vulnerability in npm package simple-git

CVE-2017-16183 Vulnerability in npm package iter-server

CVE-2019-1003099 Vulnerability in maven package org.jenkins-ci.plugins:openid

CVE-2018-20821 Vulnerability in npm package node-sass

CVE-2016-10735 Vulnerability in maven package ua.mobius.media:bootstrap

Severity

Critical

Classification

CWE-669 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory