CVE-2019-10240

HIGH

Eclipse Hawkbit < 0.2.5 - Cleartext Transmission

Title source: rule

Description

Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifacts for the Vaadin based UI over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of hawkBit might be infected.

References (1)

[Exploit, Issue Tracking, Vendor Advisory] https://bugs.eclipse.org/bugs/show_bug.cgi?id=546053

Scores

CVSS v3 8.1

EPSS 0.0008

EPSS Percentile 23.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-319 CWE-494 CWE-829

Status published

Affected Products (12)

eclipse/hawkbit < 0.2.5

eclipse/hawkbit

org.eclipse.hawkbit/hawkbit-autoconfigure < 0.3.0M2Maven

org.eclipse.hawkbit/hawkbit-ui < 0.3.0M2Maven

org.eclipse.hawkbit/hawkbit-parent < 0.3.0M2Maven

org.eclipse.hawkbit/hawkbit-starters < 0.3.0M2Maven

org.eclipse.hawkbit/hawkbit-boot-starter < 0.3.0M2Maven

org.eclipse.hawkbit/hawkbit-update-server < 0.3.0M2Maven

org.eclipse.hawkbit/hawkbit-boot-starter-mgmt-ui < 0.3.0M2Maven

org.eclipse.hawkbit/hawkbit-boot-starter-mgmt-api < 0.3.0M2Maven

org.eclipse.hawkbit/hawkbit-boot-starter-dmf-api < 0.3.0M2Maven

org.eclipse.hawkbit/hawkbit-boot-starter-ddi-api < 0.3.0M2Maven

Timeline

Published Apr 03, 2019

Tracked Since Feb 18, 2026