CVE-2021-32700

Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4.

CVSS v3 7.4 HIGH
CVSS v2.0 5.8 MEDIUM

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816	Patch Third Party Advisory
https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ballerina:ballerina::::::::
	cpe:2.3:a:ballerina:swan_lake:alpha1:::::::*
	cpe:2.3:a:ballerina:swan_lake:alpha2:::::::*
	cpe:2.3:a:ballerina:swan_lake:alpha3:::::::*

History

No history.

Information

Published : 2021-06-22 20:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-32700

Mitre link : CVE-2021-32700

CVE.ORG link : CVE-2021-32700

JSON object : View

Products Affected

ballerina

ballerina
swan_lake

CWE

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2021-32700", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2021-06-22T20:15:08.637", "references": [{"url": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4."}, {"lang": "es", "value": "Ballerina es un lenguaje de programaci\u00f3n de c\u00f3digo abierto y una plataforma para programadores de aplicaciones en la nube. Ballerina versiones 1.2.x y SL hasta la alfa 3 tienen un potencial para un ataque a la cadena de suministro por medio de MiTM contra los usuarios. Las conexiones Http no hac\u00edan uso de TLS y se ignoraba la comprobaci\u00f3n de certificados. La vulnerabilidad permite a un atacante sustituir o modificar los paquetes recuperados de BC permitiendo as\u00ed inyectar c\u00f3digo malicioso en los ejecutables de Ballerina. Esto ha sido parcheado en Ballerina versi\u00f3n 1.2.14 y Ballerina versi\u00f3n SwanLake alpha4"}], "lastModified": "2021-06-29T18:56:14.373", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ballerina:ballerina:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "11BA594E-F609-41A8-95DE-BD85C64974B6", "versionEndExcluding": "1.2.14"}, {"criteria": "cpe:2.3:a:ballerina:swan_lake:alpha1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "10FD03E6-19DB-4FCA-A83B-C7302A2715C7"}, {"criteria": "cpe:2.3:a:ballerina:swan_lake:alpha2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86E59979-D90D-4451-9420-344C71492504"}, {"criteria": "cpe:2.3:a:ballerina:swan_lake:alpha3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FE0D267F-0506-44A6-A44E-7E4841293459"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}