CVE-2019-10753 - OpenCVE

In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Diffplug	Eclipse-cdt Eclipse-groovy Eclipse-wtp

Configuration 1 [-]

OR	cpe:2.3:a:diffplug:eclipse-cdt::::::spotless::*
	cpe:2.3:a:diffplug:eclipse-groovy::::::spotless::*
	cpe:2.3:a:diffplug:eclipse-wtp::::::spotless::*

No data.

References

Link	Providers
https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2019-09-05T19:45:24

Updated: 2024-08-04T22:32:01.979Z

Reserved: 2019-04-03T00:00:00

Link: CVE-2019-10753

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-09-05T20:15:11.350

Modified: 2019-09-06T17:20:25.690

Link: CVE-2019-10753

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Spotless", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions prior to version 3.9.6 for eclipse-wtp, All versions prior to version 9.4.4 for eclipse-cdt, All versions prior to version 3.0.1 for eclipse-groovy."}]}], "descriptions": [{"lang": "en", "value": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low."}], "problemTypes": [{"descriptions": [{"description": "Unsafe Dependancy Resolution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-05T19:45:24", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "ID": "CVE-2019-10753", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Spotless", "version": {"version_data": [{"version_value": "All versions prior to version 3.9.6 for eclipse-wtp, All versions prior to version 9.4.4 for eclipse-cdt, All versions prior to version 3.0.1 for eclipse-groovy."}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Unsafe Dependancy Resolution"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:32:01.979Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2019-10753", "datePublished": "2019-09-05T19:45:24", "dateReserved": "2019-04-03T00:00:00", "dateUpdated": "2024-08-04T22:32:01.979Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:diffplug:eclipse-cdt:*:*:*:*:*:spotless:*:*", "matchCriteriaId": "CB7B7C5A-1D86-460F-A201-0BF5BA7D0FF1", "versionEndExcluding": "9.4.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:diffplug:eclipse-groovy:*:*:*:*:*:spotless:*:*", "matchCriteriaId": "67264E92-251B-42F1-9CD8-425C809EE6B8", "versionEndExcluding": "3.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:diffplug:eclipse-wtp:*:*:*:*:*:spotless:*:*", "matchCriteriaId": "2A313810-A3D7-4162-81AA-528E5381D24E", "versionEndExcluding": "3.9.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low."}, {"lang": "es", "value": "En todas las versiones anteriores a la versi\u00f3n 3.9.6 para eclipse-wtp, todas las versiones anteriores a la versi\u00f3n 9.4.4 para eclipse-cdt, y todas las versiones anteriores a la versi\u00f3n 3.0.1 para eclipse-groovy, Spotless estaba resolviendo dependencias sobre un canal inseguro (http). Si la compilaci\u00f3n se produjo a trav\u00e9s de una conexi\u00f3n insegura, un usuario malintencionado podr\u00eda haber realizado un ataque Man-in-the-Middle durante la compilaci\u00f3n y alterar los artefactos de compilaci\u00f3n que se produjeron. En caso de que alguno de estos artefactos se vea comprometido, cualquier desarrollador que los use podr\u00eda ser alterado. **Nota:** Para validar que este artefacto no se vio comprometido, el mantenedor necesitar\u00eda confirmar que ninguno de los artefactos publicados en el registro no fue alterado. Hasta que esto suceda, no podemos garantizar que este artefacto no se vea comprometido a pesar de que la probabilidad de que esto ocurra es baja."}], "id": "CVE-2019-10753", "lastModified": "2019-09-06T17:20:25.690", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-05T20:15:11.350", "references": [{"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-669"}], "source": "nvd@nist.gov", "type": "Primary"}]}