Vulnerability: Insecure Binary Retrieval in Eclipse Che 6 Stacks

Vulnerability: Insecure Binary Retrieval in Eclipse Che 6 Stacks

CVE-2021-41034 · HIGH Severity

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

The build of some language stacks of Eclipse Che version 6 includes pulling some binaries from an unsecured HTTP endpoint. As a consequence the builds of such stacks are vulnerable to MITM attacks that allow the replacement of the original binaries with arbitrary ones. The stacks involved are Java 8 (alpine and centos), Android and PHP. The vulnerability is not exploitable at runtime but only when building Che.

Learn more about our Cis Benchmark Audit For Centos Linux.