Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2019-1010260] [SECURITY] Resolve dependenices over HTTPS instead of HTTP #332

Merged
merged 2 commits into from
Jan 31, 2019
Merged

[CVE-2019-1010260] [SECURITY] Resolve dependenices over HTTPS instead of HTTP #332

merged 2 commits into from
Jan 31, 2019

Conversation

JLLeitschuh
Copy link
Contributor

Before this change, all the repositories that have been used to resolve rulesets have downloaded those rulesets over HTTP instead of HTTPS. This leaves the user wide open to system compromise via a Man In The Middle (MITM) attack. This isn't just theoretical; POC code exists already.

See:

I will file for a CVE number after this is merged and a release has been published.

This vulnerability has a CVSS v3.0 Base Score of 8.1

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SamCarlberg
SamCarlberg suggested changes Jan 28, 2019
View reviewed changes
Copy link
Contributor

@SamCarlberg SamCarlberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Grammar

ktlint/src/main/kotlin/com/github/shyiko/ktlint/Main.kt Outdated Show resolved Hide resolved
ktlint/src/main/kotlin/com/github/shyiko/ktlint/Main.kt Outdated Show resolved Hide resolved
@JLLeitschuh
Copy link
Contributor Author

Thanks @SamCarlberg!

@shyiko shyiko merged commit 5e547b2 into pinterest:master Jan 31, 2019
@shyiko
Copy link
Collaborator

shyiko commented Jan 31, 2019

🙇

@JLLeitschuh
Copy link
Contributor Author

CVE has been filed for:
https://pending-requests-v5.distributedweaknessfiling.org

shyiko pushed a commit that referenced this pull request Feb 4, 2019
#332 follow up
501fa09
@arturbosch arturbosch mentioned this pull request Feb 13, 2019
Closed
@JLLeitschuh
Copy link
Contributor Author

This has been given a CVE number: CVE-2019-1000034

@JLLeitschuh
Copy link
Contributor Author

Hi @pinterest,
This never got a CVE number assigned to it because the maintainer trying to issue the report got busy: CVEProject/cvelist#1609 (comment)

Do you want me to re-submit for the CVE number or is Pintrest a CNA?

@devinlundberg
Copy link

Pinterest is not a CNA so feel free to resubmit.

@JLLeitschuh
Copy link
Contributor Author

We have a reserved CVE for this vulnerability. Details should be posted there shortly (hopefully).

It seems with the DWF (Distributed Weakness Filing) having been shut down, it seems that MITRE has a bit of a backlog to chew through.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010260

@JLLeitschuh JLLeitschuh changed the title [SECURITY] Resolve dependenices over HTTPS instead of HTTP [CVE-2019-1010260] [SECURITY] Resolve dependenices over HTTPS instead of HTTP Apr 2, 2019
@JLLeitschuh JLLeitschuh mentioned this pull request Jun 4, 2019
Closed
This was referenced Mar 16, 2021
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SamCarlberg SamCarlberg SamCarlberg requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@JLLeitschuh @shyiko @devinlundberg @SamCarlberg