nvd-json-data-feeds/CVE-2021/CVE-2021-327xx/CVE-2021-32700.json

{
  "id": "CVE-2021-32700",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-06-22T20:15:08.637",
  "lastModified": "2021-06-29T18:56:14.373",
  "vulnStatus": "Analyzed",
  "descriptions": [
    {
      "lang": "en",
      "value": "Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4."
    },
    {
      "lang": "es",
      "value": "Ballerina es un lenguaje de programaci\u00f3n de c\u00f3digo abierto y una plataforma para programadores de aplicaciones en la nube. Ballerina versiones 1.2.x y SL hasta la alfa 3 tienen un potencial para un ataque a la cadena de suministro  por medio de MiTM contra los usuarios. Las conexiones Http no hac\u00edan uso de TLS y se ignoraba la comprobaci\u00f3n de certificados. La vulnerabilidad permite a un atacante sustituir o modificar los paquetes recuperados de BC permitiendo as\u00ed inyectar c\u00f3digo malicioso en los ejecutables de Ballerina. Esto ha sido parcheado en Ballerina versi\u00f3n 1.2.14 y Ballerina versi\u00f3n SwanLake alpha4"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.2
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.8
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.6,
        "impactScore": 4.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ballerina:ballerina:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "1.2.14",
              "matchCriteriaId": "11BA594E-F609-41A8-95DE-BD85C64974B6"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ballerina:swan_lake:alpha1:*:*:*:*:*:*:*",
              "matchCriteriaId": "10FD03E6-19DB-4FCA-A83B-C7302A2715C7"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ballerina:swan_lake:alpha2:*:*:*:*:*:*:*",
              "matchCriteriaId": "86E59979-D90D-4451-9420-344C71492504"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:ballerina:swan_lake:alpha3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE0D267F-0506-44A6-A44E-7E4841293459"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}