// For flags

CVE-2019-10753

 

Severity Score

5.9
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. **Note:** In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.

En todas las versiones anteriores a la versión 3.9.6 para eclipse-wtp, todas las versiones anteriores a la versión 9.4.4 para eclipse-cdt, y todas las versiones anteriores a la versión 3.0.1 para eclipse-groovy, Spotless estaba resolviendo dependencias sobre un canal inseguro (http). Si la compilación se produjo a través de una conexión insegura, un usuario malintencionado podría haber realizado un ataque Man-in-the-Middle durante la compilación y alterar los artefactos de compilación que se produjeron. En caso de que alguno de estos artefactos se vea comprometido, cualquier desarrollador que los use podría ser alterado. **Nota:** Para validar que este artefacto no se vio comprometido, el mantenedor necesitaría confirmar que ninguno de los artefactos publicados en el registro no fue alterado. Hasta que esto suceda, no podemos garantizar que este artefacto no se vea comprometido a pesar de que la probabilidad de que esto ocurra es baja.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-04-03 CVE Reserved
  • 2019-09-05 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-669: Incorrect Resource Transfer Between Spheres
CAPEC
References (1)
URL Tag Source
https://snyk.io/vuln/SNYK-JAVA-COMDIFFPLUGSPOTLESS-460377 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Diffplug
Search vendor "Diffplug"
 Eclipse-cdt
Search vendor "Diffplug" for product "Eclipse-cdt"
 < 9.4.4
Search vendor "Diffplug" for product "Eclipse-cdt" and version " < 9.4.4"
spotless
Affected
Diffplug
Search vendor "Diffplug"
 Eclipse-groovy
Search vendor "Diffplug" for product "Eclipse-groovy"
 < 3.0.1
Search vendor "Diffplug" for product "Eclipse-groovy" and version " < 3.0.1"
spotless
Affected
Diffplug
Search vendor "Diffplug"
 Eclipse-wtp
Search vendor "Diffplug" for product "Eclipse-wtp"
 < 3.9.6
Search vendor "Diffplug" for product "Eclipse-wtp" and version " < 3.9.6"
spotless
Affected