Description

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053

Related Vulnerabilities

CVE-2020-14967 Vulnerability in maven package org.webjars.bowergithub.kjur:jsrsasign

CVE-2010-1330 Vulnerability in maven package org.jruby:jruby

CVE-2018-1109 Vulnerability in npm package braces

CVE-2019-10747 Vulnerability in maven package org.webjars.npm:set-value

CVE-2019-7722 Vulnerability in maven package net.sourceforge.pmd:pmd-core

Severity

Critical

Classification

CWE-319 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Exploit Issue Tracking Vendor Advisory