Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts for the Xtext project over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by a MITM attack. Hence produced build artifacts of Vorto might be infected.

Affected Packages

Maven org.eclipse.vorto:org.eclipse.vorto.core

Affected versions: 0 (fixed in 0.11.0)

Related CVEs

CVE-2019-10248

Key Information

GHSA ID

GHSA-fg2q-v428-2gph

Published

May 24, 2022 4:44 PM

Last Modified

November 22, 2022 7:37 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.eclipse.vorto:org.eclipse.vorto.core

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.