Vulnerabilities > CVE-2019-10753 - Incorrect Resource Transfer Between Spheres vulnerability in Diffplug Eclipse-Cdt, Eclipse-Groovy and Eclipse-Wtp

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

diffplug

CWE-669

NVD

Published: 2019-09-05

Updated: 2019-09-06

Summary

In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.

Vulnerable Configurations

Part	Description	Count
Application	Diffplug Diffplug Eclipse CDT * Diffplug Eclipse Groovy * Diffplug Eclipse WTP *	3

Common Weakness Enumeration (CWE)

CWE-669 - Incorrect Resource Transfer Between Spheres

References

https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377