Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4.
References
Link | Resource |
---|---|
https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816 | Patch Third Party Advisory |
https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww | Third Party Advisory |
https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816 | Patch Third Party Advisory |
https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:07
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 5.8
v3 : 9.1 |
References | () https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816 - Patch, Third Party Advisory | |
References | () https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww - Third Party Advisory |
29 Jun 2021, 18:56
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:ballerina:swan_lake:alpha2:*:*:*:*:*:*:* cpe:2.3:a:ballerina:swan_lake:alpha3:*:*:*:*:*:*:* cpe:2.3:a:ballerina:ballerina:*:*:*:*:*:*:*:* cpe:2.3:a:ballerina:swan_lake:alpha1:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 5.8
v3 : 7.4 |
CWE | CWE-306 | |
References | (MISC) https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816 - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww - Third Party Advisory |
22 Jun 2021, 20:58
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-06-22 20:15
Updated : 2024-11-21 06:07
NVD link : CVE-2021-32700
Mitre link : CVE-2021-32700
CVE.ORG link : CVE-2021-32700
JSON object : View
Products Affected
ballerina
- ballerina
- swan_lake
CWE
CWE-306
Missing Authentication for Critical Function