CVE-2021-32700 - OpenCVE

Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Ballerina	Swan Lake Ballerina

Configuration 1 [-]

OR	cpe:2.3:a:ballerina:ballerina::::::::
	cpe:2.3:a:ballerina:swan_lake:alpha1:::::::*
	cpe:2.3:a:ballerina:swan_lake:alpha2:::::::*
	cpe:2.3:a:ballerina:swan_lake:alpha3:::::::*

References

Link	Resource
https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816	Patch Third Party Advisory
https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-06-22T19:30:12

Updated: 2021-06-22T19:30:12

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32700

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-06-22T20:15:08.637

Modified: 2021-06-29T18:56:14.373

Link: CVE-2021-32700

JSON object: View

Redhat Information

No data.

CWE

CWE-306

{"containers": {"cna": {"affected": [{"product": "ballerina-lang", "vendor": "ballerina-platform", "versions": [{"status": "affected", "version": "< 1.2.14"}, {"status": "affected", "version": "< SL-alpha4"}]}], "descriptions": [{"lang": "en", "value": "Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-22T19:30:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816"}], "source": {"advisory": "GHSA-f5qg-fqrw-v5ww", "discovery": "UNKNOWN"}, "title": "Supply chain attack via MiTM against users", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32700", "STATE": "PUBLIC", "TITLE": "Supply chain attack via MiTM against users"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ballerina-lang", "version": {"version_data": [{"version_value": "< 1.2.14"}, {"version_value": "< SL-alpha4"}]}}]}, "vendor_name": "ballerina-platform"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-306: Missing Authentication for Critical Function"}]}]}, "references": {"reference_data": [{"name": "https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww", "refsource": "CONFIRM", "url": "https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww"}, {"name": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816", "refsource": "MISC", "url": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816"}]}, "source": {"advisory": "GHSA-f5qg-fqrw-v5ww", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32700", "datePublished": "2021-06-22T19:30:12", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2021-06-22T19:30:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ballerina:ballerina:*:*:*:*:*:*:*:*", "matchCriteriaId": "11BA594E-F609-41A8-95DE-BD85C64974B6", "versionEndExcluding": "1.2.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:ballerina:swan_lake:alpha1:*:*:*:*:*:*:*", "matchCriteriaId": "10FD03E6-19DB-4FCA-A83B-C7302A2715C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:ballerina:swan_lake:alpha2:*:*:*:*:*:*:*", "matchCriteriaId": "86E59979-D90D-4451-9420-344C71492504", "vulnerable": true}, {"criteria": "cpe:2.3:a:ballerina:swan_lake:alpha3:*:*:*:*:*:*:*", "matchCriteriaId": "FE0D267F-0506-44A6-A44E-7E4841293459", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4."}, {"lang": "es", "value": "Ballerina es un lenguaje de programaci\u00f3n de c\u00f3digo abierto y una plataforma para programadores de aplicaciones en la nube. Ballerina versiones 1.2.x y SL hasta la alfa 3 tienen un potencial para un ataque a la cadena de suministro por medio de MiTM contra los usuarios. Las conexiones Http no hac\u00edan uso de TLS y se ignoraba la comprobaci\u00f3n de certificados. La vulnerabilidad permite a un atacante sustituir o modificar los paquetes recuperados de BC permitiendo as\u00ed inyectar c\u00f3digo malicioso en los ejecutables de Ballerina. Esto ha sido parcheado en Ballerina versi\u00f3n 1.2.14 y Ballerina versi\u00f3n SwanLake alpha4"}], "id": "CVE-2021-32700", "lastModified": "2021-06-29T18:56:14.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-06-22T20:15:08.637", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}