PT-2019-11652 · Eclipse · Eclipse Hawkbit

Dominic Schabel

Published

2019-04-03

Updated

2021-10-28

CVE-2019-10240

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Eclipse hawkBit versions prior to 0.3.0M2

Description: The issue allows for the potential compromise of Maven build artifacts used by the Vaadin based UI due to the use of HTTP instead of HTTPS. This could lead to maliciously compromised artifacts, resulting in potentially infected build artifacts of hawkBit. A man-in-the-middle (MITM) attack could exploit this issue.

Recommendations: For Eclipse hawkBit versions prior to 0.3.0M2, update to version 0.3.0M2 or later to resolve the issue. As a temporary workaround, consider restricting the use of HTTP for resolving Maven build artifacts to minimize the risk of exploitation.

Exploit

Fix

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319CWE-494CWE-829

Related Identifiers

CVE-2019-10240

GHSA-JWQM-C9F2-2CQ3

Affected Products

Eclipse Hawkbit

PT-2019-11652 · Eclipse · Eclipse Hawkbit

CVE-2019-10240

Weakness Enumeration

Related Identifiers

Affected Products

References · 5