CVE-2019-11770

Name of the Vulnerable Software and Affected Versions Eclipse Buildship versions prior to 3.1.1

Description The issue arises from Eclipse Buildship resolving dependencies over HTTP instead of HTTPS, making the artifacts susceptible to Man-In-The-Middle (MITM) attacks. This could lead to the malicious compromise of these artifacts and the infection of build artifacts. Furthermore, if any dependencies such as JARs were compromised, developers using them could remain infected even after updating to fix this issue.

Recommendations For Eclipse Buildship versions prior to 3.1.1, update to version 3.1.1 or later to resolve the issue. As a temporary workaround, consider configuring the build files to resolve dependencies over HTTPS instead of HTTP to minimize the risk of exploitation. Restrict access to dependencies resolved over HTTP to minimize the risk of infection.