Bug 546053 (CVE-2019-10240) - Eclipse hawkBit: New CVE Request
Summary: Eclipse hawkBit: New CVE Request
Status: RESOLVED FIXED
Alias: CVE-2019-10240
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Mac OS X
: P3 major (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2019-04-02 08:37 EDT by Dominic Schabel CLA
Modified: 2019-05-09 13:10 EDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dominic Schabel CLA 2019-04-02 08:37:14 EDT 
Request for a new CVE. For details about the content have a look here:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=544852 (multiple projects affected) 
and https://github.com/eclipse/hawkbit/issues/812

=======================================

Project: Eclipse hawkBit

version: All versions prior 0.3.0M2

cwe: CWE-829: Inclusion of Functionality from Untrusted Control Sphere
     CWE-494: Download of Code Without Integrity Check

summary: Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.
Comment 1 Wayne Beaton CLA 2019-04-02 10:01:06 EDT 
I've assigned CVE-2019-10240.

I'll push to the central authority shortly.
Comment 2 Wayne Beaton CLA 2019-04-02 11:10:50 EDT 
Pull request: https://github.com/CVEProject/cvelist/pull/1821
Comment 3 Dominic Schabel CLA 2019-04-03 09:21:07 EDT 
Hi Wayne,

not sure if you saw it but CVE team requested changes
Comment 4 Wayne Beaton CLA 2019-04-03 10:00:49 EDT 
(In reply to Dominic Schabel from comment #3)
> Hi Wayne,
> 
> not sure if you saw it but CVE team requested changes

Multiple CWEs threw me off. It passed local validation, so I assumed that it would work. I'll sort it out.