Vulnerability Details : CVE-2019-10248
Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected.
Vulnerability category: File inclusion
Products affected by CVE-2019-10248
- cpe:2.3:a:eclipse:vorto:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10248
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 35 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10248
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2019-10248
-
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Assigned by: emo@eclipse.org (Secondary)
-
The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.Assigned by: nvd@nist.gov (Primary)
-
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.Assigned by: emo@eclipse.org (Secondary)
References for CVE-2019-10248
-
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546622
546622 – (CVE-2019-10248) Eclipse Vorto: New CVE RequestThird Party Advisory
Jump to