Bug 547734 (CVE-2019-11770) - Eclipse Buildship: New CVE Request
Summary: Eclipse Buildship: New CVE Request
Status: RESOLVED FIXED
Alias: CVE-2019-11770
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Mac OS X
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2019-05-28 08:46 EDT by Donat Csikos CLA
Modified: 2020-01-10 11:54 EST (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Donat Csikos CLA 2019-05-28 08:46:22 EDT 
Request for a new CVE. For details about the content have a look here:
https://github.com/eclipse/buildship/issues/855

=======================================

Project: Eclipse Buildship

version: All versions prior 3.1.1

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

summary: The build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts could have been MITM to maliciously compromise them and infect the build artifacts that were produced. Additionally, if any of these JARs or other dependencies were compromised, any developers using these could continue to be infected past updating to fix this.
Comment 1 Jens Reimann CLA 2019-06-11 04:53:44 EDT 
Does any of the project leads agree on assigning a CVE?
Comment 2 Wayne Beaton CLA 2019-06-13 16:46:23 EDT 
(In reply to Jens Reimann from comment #1)
> Does any of the project leads agree on assigning a CVE?

Donat has been working as a delegate for the project leads on a number of different matters. I'm content that Donat represents their interests. 

I've assigned CVE-2019-11770.
Comment 3 Wayne Beaton CLA 2019-06-13 16:59:34 EDT 
I've created a pull request.

https://github.com/CVEProject/cvelist/pull/2162