-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathInsecureDependencyResolution.qhelp
More file actions
73 lines (62 loc) · 2.19 KB
/
InsecureDependencyResolution.qhelp
File metadata and controls
73 lines (62 loc) · 2.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>Using an insecure protocol like HTTP or FTP to download your dependencies leaves your Maven build vulnerable to a
<a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">Man in the Middle (MITM)</a>.
This can allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts
that are being produced. This can be used by attackers to perform a
<a href="https://en.wikipedia.org/wiki/Supply_chain_attack">Supply chain attack</a>
against your project's users.
</p>
<p>This vulnerability has a
<a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1">
CVSS v3.1 base score of 8.1/10
</a>.</p>
</overview>
<recommendation>
<p>Always use HTTPS or SFTP to download artifacts from artifact servers.</p>
</recommendation>
<example>
<p>These examples show examples of locations in Maven POM files where artifact repository upload/download is configured.
The first shows the use of HTTP, the second shows the use of HTTPS.
</p>
<sample src="insecure-pom.xml" />
<sample src="secure-pom.xml" />
</example>
<references>
<li>
Research:
<a href="https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e">
Want to take over the Java ecosystem? All you need is a MITM!
</a>
</li>
<li>
Research:
<a href="https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/">
How to take over the computer of any Java (or Closure or Scala) Developer.
</a>
</li>
<li>
Proof of Concept:
<a href="https://github.com/mveytsman/dilettante">
mveytsman/dilettante
</a>
</li>
<li>
Additional Gradle & Maven plugin:
<a href="https://spring.io/blog/2019/06/10/announcing-nohttp">
Announcing nohttp
</a>
</li>
<li>
Java Ecosystem Announcement:
<a href="https://gist.github.com/JLLeitschuh/789e49e3d34092a005031a0a1880af99">
HTTP Decommission Artifact Server Announcements
</a>
</li>
<!-- LocalWords: CWE maven dependencies artifact
-->
</references>
</qhelp>