EUVD-2022-5161

Malicious code in bioql PyPI...

com.github.gergelyszaz.bgl:board-game-language (=0.1.0), com.github.marc-christian-schulze.structs4java:structs4java-core (>=1.0.13 <=1.0.45) +111 more potentially affected by CVE-2019-10249 via org.eclipse.xtext:org.eclipse.xtext (>=2.10.0 <=2.17.1)

org.eclipse.xtext:org.eclipse.xtext MAVEN version =2.10.0, =1.0.13, =1.0.13, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.0, =1.4.2 and more Source cves: CVE-2019-10249 Source advisory: OSV:GHSA-RFJ2-4G26-7JW5...

GHSA-RFJ2-4G26-7JW5 Potentially compromised builds

All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised...

Eclipse Vorto resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS

Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected...

CVE-2019-10249

All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised...

golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag

A flaw was found in golang.org. In x/text, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag...

ca.uhn.hapi.fhir.karaf:hapi-fhir (>=3.3.0 <=3.7.0), com.esri.geoevent.sdk:geoevent-sdk (>=10.7.1 <=10.8.1) +118 more potentially affected by CVE-2021-44228 via org.ops4j.pax.logging:pax-logging-log4j2 (>=1.10.0 <=1.10.7)

org.ops4j.pax.logging:pax-logging-log4j2 MAVEN version =1.10.0, =3.3.0, =10.7.1, =2.0.1, =1.2.0, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.61.2, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =3.24.01 and more Source cves: CVE-2021-44228 Source advisory: OSV:GHSA-JFH8-C2JP-5V3Q...

Design/Logic Flaw

All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised...

CVE-2019-10249

All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised...

CVE-2019-10249

All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised...

CVE-2019-10249

All Xtext & Xtend versions prior to 2.18.0 were built using HTTP instead of HTTPS file transfer and thus the built artifacts may have been compromised...

CVE-2019-10249

CVE-2019-10249 affects all Xtext and Xtend versions prior to 2.18.0 where artifacts were built over HTTP instead of HTTPS, creating a risk that build artifacts could be compromised. The connected sources corroborate a MITM-style risk during builds and describe a remediation: upgrade to org.eclips...

Design/Logic Flaw

Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected...

CVE-2019-10248

Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected...

CVE-2019-10248

Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected...

CVE-2019-10248

CVE-2019-10248 affects Eclipse Vorto prior to 0.11. Maven build artifacts for the Xtext project were resolved over HTTP rather than HTTPS, enabling potential MITM tampering of dependency artifacts. This could allow infected build artifacts to be produced. The issue is tied to the build/download c...