CVE-2021-41034

Name of the Vulnerable Software and Affected Versions Eclipse Che version 6

Description The issue is related to the build process of some language stacks in Eclipse Che, which pulls binaries from an unsecured HTTP endpoint, making them vulnerable to man-in-the-middle (MITM) attacks. This allows for the replacement of original binaries with arbitrary ones. The affected stacks include Java 8 (alpine and centos), Android, and PHP. The vulnerability can only be exploited during the build process, not at runtime.

Recommendations For Eclipse Che version 6, consider disabling the build process for the affected language stacks until a secure HTTP endpoint is implemented. Restrict access to the unsecured HTTP endpoint to minimize the risk of exploitation. Avoid using the affected stacks (Java 8, Android, and PHP) until the issue is resolved. As a temporary workaround, consider using alternative, secured endpoints for pulling binaries. At the moment, there is no information about a newer version that contains a fix for this vulnerability.