CVE-2019-10240
Cleartext Transmission of Sensitive Information, Inclusion of Functionality from Untrusted Control Sphere , and Download of Code Without Integrity Check in Eclipse hawkBit
8.1
HIGH
CVSS 3.1
EPSS 0.08%
Description
Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.
How to fix CVE-2019-10240
To remediate CVE-2019-10240, upgrade the affected package to a fixed version below.
- —upgrade to 0.3.0M2 or later
- —upgrade to 0.3.0M2 or later
- —upgrade to 0.3.0M2 or later
- —upgrade to 0.3.0M2 or later
- —upgrade to 0.3.0M2 or later
- —upgrade to 0.3.0M2 or later
- —upgrade to 0.3.0M2 or later
- —upgrade to 0.3.0M2 or later
- —upgrade to 0.3.0M2 or later
- —upgrade to 0.3.0M2 or later
Is CVE-2019-10240 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (10)
- from 0, < 0.3.0M2
- from 0, < 0.3.0M2
- from 0, < 0.3.0M2
- from 0, < 0.3.0M2
- from 0, < 0.3.0M2
- from 0, < 0.3.0M2
- from 0, < 0.3.0M2
- from 0, < 0.3.0M2
- from 0, < 0.3.0M2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |