Lucene search

GitHub_MCVELIST:CVE-2021-32700

HistoryJun 22, 2021 - 7:30 p.m.

CVE-2021-32700 Supply chain attack via MiTM against users

2021-06-2219:30:12

CWE-306

GitHub_M

www.cve.org

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.8%

JSON

Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4.

CNA Affected

[
  {
    "product": "ballerina-lang",
    "vendor": "ballerina-platform",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.2.14"
      },
      {
        "status": "affected",
        "version": "< SL-alpha4"
      }
    ]
  }
]

References

github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816

github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.8%

JSON

Related for CVELIST:CVE-2021-32700