Miggo Logo

CVE-2019-10249: Potentially compromised builds

8.1

CVSS Score
3.1

Basic Information

EPSS Score
0.37714%
Published
5/24/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.eclipse.xtext:org.eclipse.xtextmaven< 2.18.02.18.0
org.eclipse.xtend:org.eclipse.xtend.coremaven< 2.18.02.18.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure HTTP protocol usage in build infrastructure. The commit diff shows systematic replacement of HTTP with HTTPS in repository URLs across build configurations. Key vulnerable points are:

  1. Jenkins URL definition in Gradle setup files
  2. Maven repository declarations
  3. Eclipse target platform configurations These functions are vulnerable because they handle dependency resolution over unencrypted channels, enabling potential MITM attacks and artifact compromise. The high confidence comes from direct evidence in commit diffs and CWE-319 alignment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll Xt*xt & Xt*n* v*rsions prior to *.**.* w*r* *uilt usin* *TTP inst*** o* *TTPS *il* tr*ns**r *n* t*us t** *uilt *rti***ts m*y **v* ***n *ompromis**.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* *TTP proto*ol us*** in *uil* in*r*stru*tur*. T** *ommit *i** s*ows syst*m*ti* r*pl***m*nt o* *TTP wit* *TTPS in r*pository URLs **ross *uil* *on*i*ur*tions. K*y vuln*r**l* points *r*: *. J*nkins URL ***inition i