Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[CVE-2019-1010260] [SECURITY] Resolve dependenices over HTTPS instead of HTTP #332
Before this change, all the repositories that have been used to resolve rulesets have downloaded those rulesets over HTTP instead of HTTPS. This leaves the user wide open to system compromise via a Man In The Middle (MITM) attack. This isn't just theoretical; POC code exists already.
I will file for a CVE number after this is merged and a release has been published.
This vulnerability has a CVSS v3.0 Base Score of 8.1
CVE has been filed for:
referenced this pull request
Feb 13, 2019
We have a reserved CVE for this vulnerability. Details should be posted there shortly (hopefully).
It seems with the DWF (Distributed Weakness Filing) having been shut down, it seems that MITRE has a bit of a backlog to chew through.