GSD-2019-10753
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-10753",
"description": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.",
"id": "GSD-2019-10753"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-10753"
],
"details": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.",
"id": "GSD-2019-10753",
"modified": "2023-12-13T01:23:57.853848Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spotless",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 3.9.6 for eclipse-wtp, All versions prior to version 9.4.4 for eclipse-cdt, All versions prior to version 3.0.1 for eclipse-groovy."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unsafe Dependancy Resolution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,9.4.4)",
"affected_versions": "All versions before 9.4.4",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-669",
"CWE-937"
],
"date": "2019-09-06",
"description": "Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered.",
"fixed_versions": [
"9.4.4"
],
"identifier": "CVE-2019-10753",
"identifiers": [
"CVE-2019-10753"
],
"not_impacted": "All versions starting from 9.4.4",
"package_slug": "maven/com.diffplug.spotless/spotless-eclipse-cdt",
"pubdate": "2019-09-05",
"solution": "Upgrade to version 9.4.4 or above.",
"title": "Incorrect Resource Transfer Between Spheres",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-10753"
],
"uuid": "23f656da-2194-4f27-8b7c-2d8d336f02bf"
},
{
"affected_range": "(,3.0.1)",
"affected_versions": "All versions before 3.0.1",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-669",
"CWE-937"
],
"date": "2019-09-06",
"description": "Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered.",
"fixed_versions": [
"3.0.1"
],
"identifier": "CVE-2019-10753",
"identifiers": [
"CVE-2019-10753"
],
"not_impacted": "All versions starting from 3.0.1",
"package_slug": "maven/com.diffplug.spotless/spotless-eclipse-groovy",
"pubdate": "2019-09-05",
"solution": "Upgrade to version 3.0.1 or above.",
"title": "Incorrect Resource Transfer Between Spheres",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-10753"
],
"uuid": "4c0d1f92-572b-46c8-b8da-ffde9ea94908"
},
{
"affected_range": "(,3.9.6)",
"affected_versions": "All versions before 3.9.6",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-669",
"CWE-937"
],
"date": "2019-09-06",
"description": "Spotless is resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. If these artifacts were maliciously altered, developers using them could be compromised.",
"fixed_versions": [
"3.9.6"
],
"identifier": "CVE-2019-10753",
"identifiers": [
"CVE-2019-10753"
],
"not_impacted": "All versions starting from 3.9.6",
"package_slug": "maven/com.diffplug.spotless/spotless-eclipse-wtp",
"pubdate": "2019-09-05",
"solution": "Upgrade to version 3.9.6 or above.",
"title": "Incorrect Resource Transfer Between Spheres",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-10753"
],
"uuid": "2e38103b-aca0-48fd-847e-79f85dc143da"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:diffplug:eclipse-groovy:*:*:*:*:*:spotless:*:*",
"cpe_name": [],
"versionEndExcluding": "3.0.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:diffplug:eclipse-cdt:*:*:*:*:*:spotless:*:*",
"cpe_name": [],
"versionEndExcluding": "9.4.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:diffplug:eclipse-wtp:*:*:*:*:*:spotless:*:*",
"cpe_name": [],
"versionEndExcluding": "3.9.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"ID": "CVE-2019-10753"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-669"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
}
},
"lastModifiedDate": "2019-09-06T17:20Z",
"publishedDate": "2019-09-05T20:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…