Description

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053

Related Vulnerabilities

CVE-2018-6561 Vulnerability in maven package org.webjars.bower:dijit

CVE-2021-43090 Vulnerability in maven package com.predic8:soa-model-core

CVE-2017-20162 Vulnerability in npm package ms

CVE-2020-7680 Vulnerability in maven package org.webjars.npm:docsify

CVE-2020-36179 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Issue Tracking Vendor Advisory