CVE-2021-41034

Summary

The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che.

Affected Software

VendorProductVersion RangeStatus
The Eclipse FoundationEclipse Che6.0 < unspecifiedaffected
The Eclipse FoundationEclipse Cheunspecified < 7.0affected

Weaknesses

  • CWE-924: CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel

ADP Enrichment

CVE Program Container

Additional References

References