CVE-2019-10753 (GCVE-0-2019-10753)

Vulnerability from cvelistv5 – Published: 2019-09-05 19:45 – Updated: 2024-08-04 22:32
VLAI?
Summary
In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.
Severity ?
No CVSS data available.
CWE
  • Unsafe Dependancy Resolution
Assigner
References
Impacted products
Vendor Product Version
n/a Spotless Affected: All versions prior to version 3.9.6 for eclipse-wtp, All versions prior to version 9.4.4 for eclipse-cdt, All versions prior to version 3.0.1 for eclipse-groovy.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T22:32:01.979Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spotless",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to version 3.9.6 for eclipse-wtp, All versions prior to version 9.4.4 for eclipse-cdt, All versions prior to version 3.0.1 for eclipse-groovy."
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Unsafe Dependancy Resolution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-09-05T19:45:24",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2019-10753",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Spotless",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions prior to version 3.9.6 for eclipse-wtp, All versions prior to version 9.4.4 for eclipse-cdt, All versions prior to version 3.0.1 for eclipse-groovy."
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Unsafe Dependancy Resolution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2019-10753",
    "datePublished": "2019-09-05T19:45:24",
    "dateReserved": "2019-04-03T00:00:00",
    "dateUpdated": "2024-08-04T22:32:01.979Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:diffplug:eclipse-cdt:*:*:*:*:*:spotless:*:*\", \"versionEndExcluding\": \"9.4.4\", \"matchCriteriaId\": \"CB7B7C5A-1D86-460F-A201-0BF5BA7D0FF1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:diffplug:eclipse-groovy:*:*:*:*:*:spotless:*:*\", \"versionEndExcluding\": \"3.0.1\", \"matchCriteriaId\": \"67264E92-251B-42F1-9CD8-425C809EE6B8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:diffplug:eclipse-wtp:*:*:*:*:*:spotless:*:*\", \"versionEndExcluding\": \"3.9.6\", \"matchCriteriaId\": \"2A313810-A3D7-4162-81AA-528E5381D24E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.\"}, {\"lang\": \"es\", \"value\": \"En todas las versiones anteriores a la versi\\u00f3n 3.9.6 para eclipse-wtp, todas las versiones anteriores a la versi\\u00f3n 9.4.4 para eclipse-cdt, y todas las versiones anteriores a la versi\\u00f3n 3.0.1 para eclipse-groovy, Spotless estaba resolviendo dependencias sobre un canal inseguro (http). Si la compilaci\\u00f3n se produjo a trav\\u00e9s de una conexi\\u00f3n insegura, un usuario malintencionado podr\\u00eda haber realizado un ataque Man-in-the-Middle durante la compilaci\\u00f3n y alterar los artefactos de compilaci\\u00f3n que se produjeron. En caso de que alguno de estos artefactos se vea comprometido, cualquier desarrollador que los use podr\\u00eda ser alterado. **Nota:** Para validar que este artefacto no se vio comprometido, el mantenedor necesitar\\u00eda confirmar que ninguno de los artefactos publicados en el registro no fue alterado. Hasta que esto suceda, no podemos garantizar que este artefacto no se vea comprometido a pesar de que la probabilidad de que esto ocurra es baja.\"}]",
      "id": "CVE-2019-10753",
      "lastModified": "2024-11-21T04:19:51.267",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-09-05T20:15:11.350",
      "references": "[{\"url\": \"https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377\", \"source\": \"report@snyk.io\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "report@snyk.io",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-669\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-10753\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2019-09-05T20:15:11.350\",\"lastModified\":\"2024-11-21T04:19:51.267\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.\"},{\"lang\":\"es\",\"value\":\"En todas las versiones anteriores a la versi\u00f3n 3.9.6 para eclipse-wtp, todas las versiones anteriores a la versi\u00f3n 9.4.4 para eclipse-cdt, y todas las versiones anteriores a la versi\u00f3n 3.0.1 para eclipse-groovy, Spotless estaba resolviendo dependencias sobre un canal inseguro (http). Si la compilaci\u00f3n se produjo a trav\u00e9s de una conexi\u00f3n insegura, un usuario malintencionado podr\u00eda haber realizado un ataque Man-in-the-Middle durante la compilaci\u00f3n y alterar los artefactos de compilaci\u00f3n que se produjeron. En caso de que alguno de estos artefactos se vea comprometido, cualquier desarrollador que los use podr\u00eda ser alterado. **Nota:** Para validar que este artefacto no se vio comprometido, el mantenedor necesitar\u00eda confirmar que ninguno de los artefactos publicados en el registro no fue alterado. Hasta que esto suceda, no podemos garantizar que este artefacto no se vea comprometido a pesar de que la probabilidad de que esto ocurra es baja.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-669\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:diffplug:eclipse-cdt:*:*:*:*:*:spotless:*:*\",\"versionEndExcluding\":\"9.4.4\",\"matchCriteriaId\":\"CB7B7C5A-1D86-460F-A201-0BF5BA7D0FF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:diffplug:eclipse-groovy:*:*:*:*:*:spotless:*:*\",\"versionEndExcluding\":\"3.0.1\",\"matchCriteriaId\":\"67264E92-251B-42F1-9CD8-425C809EE6B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:diffplug:eclipse-wtp:*:*:*:*:*:spotless:*:*\",\"versionEndExcluding\":\"3.9.6\",\"matchCriteriaId\":\"2A313810-A3D7-4162-81AA-528E5381D24E\"}]}]}],\"references\":[{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.