546622 – (CVE-2019-10248) Eclipse Vorto: New CVE Request

Bug 546622 (CVE-2019-10248) - Eclipse Vorto: New CVE Request

Summary: Eclipse Vorto: New CVE Request

Status:	RESOLVED FIXED

Alias:	CVE-2019-10248

Product:	Community
Classification:	Eclipse Foundation
Component:	Vulnerability Reports (show other bugs)
Version:	unspecified
Hardware:	PC Windows 10

Importance:	P3 normal (vote)
Target Milestone:	---
Assignee:	Security vulnerabilitied reported against Eclipse projects
QA Contact:

URL:	https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2019-04-22 03:30 EDT by Alexander Edelmann
Modified:	2019-05-09 13:13 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Edelmann

2019-04-22 03:30:12 EDT

Request for a new CVE. For details about the content have a look here:
https://github.com/eclipse/vorto/issues/1434

=======================================

Project: Eclipse Vorto

version: All versions prior 0.11

CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check

summary: Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected.

Comment 1 Wayne Beaton

2019-04-22 13:50:55 EDT

Pull request: https://github.com/CVEProject/cvelist/pull/1932