CVE-2019-10753

NameCVE-2019-10753
DescriptionIn all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
eclipse-wtp (PTS)stretch3.6.3-3fixed
stretch (security)3.6.3-3+deb9u1fixed
bullseye, sid3.18-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
eclipse-wtpsource(unstable)(not affected)

Notes

- eclipse-wtp <not-affected> (Does not affect the Debian build/package)
https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377

Search for package or bug name: Reporting problems