CVE-2019-10249: Potentially compromised builds
8.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.37714%
CWE
Published
5/24/2022
Updated
2/2/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.eclipse.xtext:org.eclipse.xtext | maven | < 2.18.0 | 2.18.0 |
org.eclipse.xtend:org.eclipse.xtend.core | maven | < 2.18.0 | 2.18.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure HTTP protocol usage in build infrastructure. The commit diff shows systematic replacement of HTTP with HTTPS in repository URLs across build configurations. Key vulnerable points are:
- Jenkins URL definition in Gradle setup files
- Maven repository declarations
- Eclipse target platform configurations These functions are vulnerable because they handle dependency resolution over unencrypted channels, enabling potential MITM attacks and artifact compromise. The high confidence comes from direct evidence in commit diffs and CWE-319 alignment.