Community
Participate
Working Groups
Request for a new CVE. For details about the content have a look here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=544852 (multiple projects affected) and https://github.com/eclipse/hawkbit/issues/812 ======================================= Project: Eclipse hawkBit version: All versions prior 0.3.0M2 cwe: CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE-494: Download of Code Without Integrity Check summary: Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.
I've assigned CVE-2019-10240. I'll push to the central authority shortly.
Pull request: https://github.com/CVEProject/cvelist/pull/1821
Hi Wayne, not sure if you saw it but CVE team requested changes
(In reply to Dominic Schabel from comment #3) > Hi Wayne, > > not sure if you saw it but CVE team requested changes Multiple CWEs threw me off. It passed local validation, so I assumed that it would work. I'll sort it out.