Eclipse · Eclipse Hawkbit · CVE-2019-10240
Name of the Vulnerable Software and Affected Versions:
Eclipse hawkBit versions prior to 0.3.0M2
Description:
The issue allows for the potential compromise of Maven build artifacts used by the Vaadin based UI due to the use of HTTP instead of HTTPS. This could lead to maliciously compromised artifacts, resulting in potentially infected build artifacts of hawkBit. A man-in-the-middle (MITM) attack could exploit this issue.
Recommendations:
For Eclipse hawkBit versions prior to 0.3.0M2, update to version 0.3.0M2 or later to resolve the issue. As a temporary workaround, consider restricting the use of HTTP for resolving Maven build artifacts to minimize the risk of exploitation.