5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10753

GHSA ID

GHSA-gvxv-5fp2-358q

EPSS Score

0.4913%

CWE

CWE-669

Published

9/11/2019

Updated

1/28/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10753

CVE-2019-10753: Incorrect Resource Transfer Between Spheres in eclipse-wtp

In all versions prior to version 3.9.6 for eclipse-wtp, all versions prior to version 9.4.4 for eclipse-cdt, and all versions prior to version 3.0.1 for eclipse-groovy, Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered. Note: In order to validate that this artifact was not compromised, the maintainer would need to confirm that none of the artifacts published to the registry were not altered with. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.

(GitHub Advisory)

5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10753

GHSA ID

GHSA-gvxv-5fp2-358q

EPSS Score

0.4913%

CWE

CWE-669

Published

9/11/2019

Updated

1/28/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.diffplug.spotless:spotless-eclipse-wtp	maven	< 3.9.6	3.9.6
com.diffplug.spotless:spotless-eclipse-cdt	maven	< 9.4.4	9.4.4
com.diffplug.spotless:spotless-eclipse-groovy	maven	< 3.0.1	3.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from dependency resolution over HTTP instead of HTTPS. The build.gradle files in all three components explicitly configure p2Repository with HTTP URLs (as shown in GitHub issue #360). These configurations are direct causes of insecure resource transfer between spheres (CWE-669) as they allow MITM attacks during dependency fetching. The patched versions switched these URLs to HTTPS, confirming these as the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *ll v*rsions prior to v*rsion *.*.* *or **lips*-wtp, *ll v*rsions prior to v*rsion *.*.* *or **lips*-**t, *n* *ll v*rsions prior to v*rsion *.*.* *or **lips*-*roovy, Spotl*ss w*s r*solvin* **p*n**n*i*s ov*r *n ins**ur* ***nn*l (*ttp). I* t** *uil*

Reasoning

T** vuln*r**ility st*ms *rom **p*n**n*y r*solution ov*r *TTP inst*** o* *TTPS. T** `*uil*.*r**l*` *il*s in *ll t*r** *ompon*nts *xpli*itly *on*i*ur* `p*R*pository` wit* *TTP URLs (*s s*own in *it*u* issu* #***). T**s* *on*i*ur*tions *r* *ir**t **us*s

5.9

Basic Information

Concerned about an active attack path?

CVE-2019-10753: Incorrect Resource Transfer Between Spheres in eclipse-wtp

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI