CVE-2021-32700

Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:ballerina:ballerina:*:*:*:*:*:*:*:*
cpe:2.3:a:ballerina:swan_lake:alpha1:*:*:*:*:*:*:*
cpe:2.3:a:ballerina:swan_lake:alpha2:*:*:*:*:*:*:*
cpe:2.3:a:ballerina:swan_lake:alpha3:*:*:*:*:*:*:*

History

21 Nov 2024, 06:07

Type Values Removed Values Added
CVSS v2 : 5.8
v3 : 7.4
v2 : 5.8
v3 : 9.1
References () https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816 - Patch, Third Party Advisory () https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816 - Patch, Third Party Advisory
References () https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww - Third Party Advisory () https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww - Third Party Advisory

29 Jun 2021, 18:56

Type Values Removed Values Added
CPE cpe:2.3:a:ballerina:swan_lake:alpha2:*:*:*:*:*:*:*
cpe:2.3:a:ballerina:swan_lake:alpha3:*:*:*:*:*:*:*
cpe:2.3:a:ballerina:ballerina:*:*:*:*:*:*:*:*
cpe:2.3:a:ballerina:swan_lake:alpha1:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 5.8
v3 : 7.4
CWE CWE-306
References (MISC) https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816 - (MISC) https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816 - Patch, Third Party Advisory
References (CONFIRM) https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww - (CONFIRM) https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww - Third Party Advisory

22 Jun 2021, 20:58

Type Values Removed Values Added
New CVE

Information

Published : 2021-06-22 20:15

Updated : 2024-11-21 06:07


NVD link : CVE-2021-32700

Mitre link : CVE-2021-32700

CVE.ORG link : CVE-2021-32700


JSON object : View

Products Affected

ballerina

  • ballerina
  • swan_lake
CWE
CWE-306

Missing Authentication for Critical Function