CVE-2021-32700
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-32700
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32700.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-32700
- Related
- Published
- 2021-06-22T20:15:08Z
- Modified
- 2025-10-15T13:02:57.759370Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4.
- References
Affected packages
Git / github.com/ballerina-platform/ballerina-lang
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ballerina-platform/ballerina-lang
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.8.0
v0.8.0-RC2
v0.8.2-RC1
v0.84
v0.85
v0.86
v0.87
v0.88
v0.89
v0.90
v0.91
v0.92
v0.93
v0.94.0-M1
v0.95.0
v0.95.7
v0.95.8
v0.96.0
v0.961.0
v0.963.0
v0.964.0
v0.970.0
v0.970.0-SNAPSHOT.180329212739
v0.970.0-SNAPSHOT.1803302831
v0.970.0-alpha0
v0.970.0-alpha2
v0.970.0-alpha3
v0.970.0-alpha4
v0.970.0-alpha5
v0.970.0-beta0
v0.970.0-beta1
v0.970.0-beta10
v0.970.0-beta11
v0.970.0-beta12
v0.970.0-beta13
v0.970.0-beta14
v0.970.0-beta15
v0.970.0-beta16
v0.970.0-beta17
v0.970.0-beta18
v0.970.0-beta19
v0.970.0-beta3
v0.970.0-beta4
v0.970.0-beta5
v0.970.0-beta6
v0.970.0-beta7
v0.970.0-beta8
v0.970.0-beta9
v0.970.0-rc1
v0.970.1
v0.971.0
v0.972.0
v0.973.0
v0.974.0
v0.975.0
v0.976.0
v0.980.0
v0.980.1
v0.981.0
v0.981.1
v0.982.0
v0.983.0
v0.990.0
v0.990.1
v0.990.2
v0.990.3
v0.992.0-m1
v0.992.0-m4
v0.992.0-m5
v1.*
v1.0.0
v1.0.0-alpha
v1.0.0-alpha2
v1.0.0-alpha3
v1.0.0-beta
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.1.0-alpha
v1.1.0-beta
v1.1.0-beta2
v1.2.0
v1.2.1
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
Database specific
vanir_signatures
[
{
"id": "CVE-2021-32700-085ca1cb",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "97250936924521824349175195893844226239",
"length": 45.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "getAcceptedIssuers",
"file": "compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-120d5397",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"line_hashes": [
"228389828268307846700251097930586861851",
"13081412514740280464474598279034047588",
"250994280383592520327291737833607802979",
"162061021268664899436383678691357386667",
"224117929820807543500569094850491239774",
"195711397869864078581036163695727391033",
"72290392899678749006878818007455465940",
"302126381794142603175133138029228411995",
"181120561898736477588405843984033898107",
"54706929500258734839080494539924724018",
"200234522235834984762932074908681764290",
"147040186767335179864970030526275722011",
"224044284986984483659218476977823775108",
"177006760184443351558713593434912116137",
"102855397252877801711730955326544224226",
"67649531808842818465550526307603141394",
"7303063757839578978246738029641676006",
"44748734577433951717067127757192340555",
"107424180792845869545439269733601339891",
"203479053389690415297068609213532505061",
"272934418803472540093913479932481716129",
"133821237896050859302736192152133517262",
"335499025711110133337351131751679731352",
"13909164821339746936605242124643338635",
"104814362997758487343360914988395080235",
"216683731779472754790875278924242114623",
"106945143412012216484977120130641960801",
"242871162034582878994204753566760452261",
"143803740464925787281241680077231007957",
"79634753605868049936800243781439826674",
"274979491492732150893682021185412697945"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Push.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-13814d5c",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "59736554295460897491642331698804713990",
"length": 48.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "checkServerTrusted",
"file": "compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-17c0aeeb",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"line_hashes": [
"228389828268307846700251097930586861851",
"13081412514740280464474598279034047588",
"46933933436038143166469186396408550753",
"131667121661962643116797333680303952464",
"56897048003264067473447656292519293179",
"171343836637834910748135288703538050548",
"190771426941226481145012396021542092418",
"227690555787625813185677651052445413686",
"200234522235834984762932074908681764290",
"147040186767335179864970030526275722011",
"140946155583230792681679846520664251614",
"22384366167360447425723028836806054217",
"145806832822413010778864694309758502814",
"186947657376250771893126871409240882529",
"24816320428253872335820703970660632672",
"44748734577433951717067127757192340555",
"221659159364251923301169988394837217067",
"155522693108991895839869946700750865649",
"163037999644359427905086510450126223346",
"265899488172159373035088279547445284640",
"337683468770870465419855223884664312514",
"176783853426302107935318836965217400895",
"11510843840355355879493906078905376354",
"15463608466701215683642545618305195355",
"321692600109211451949678599398884496635"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Search.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-28a6f590",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"line_hashes": [
"199600275465600081034058132341130464140",
"90594474722853072520312699102224774358",
"75324344060246797009986553218221854262",
"232065225700029622763846038758755916389",
"87935174336259653407909313512169922274",
"40336379058214772823505704796350782959",
"48082161765409715421459381347570408490",
"338371627924861857862279524299511921507",
"86196498692912032858183865851597944235",
"77926267242000833196059894425362114825",
"256937432048922214558269223612813704338",
"288229360889411426586105870409001302609",
"40252286632764156260414924698481078444",
"284904587426335055019610704043319049133",
"299129241037122953077644342540075240205",
"13485021421777011880159753168906972759",
"187445896329931529669193015364824871146",
"497666000163226984802854905221657295",
"228146344350543261671247338391502453368",
"322935352237039063154784824540319748927",
"148773204688191369310689450322251109482"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "cli/ballerina-cli-module/src/test/java/org/ballerinalang/cli/module/UtilsTest.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-316e38a1",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "236136853907640659721725130746821823407",
"length": 1619.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "handle",
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/TokenUpdater.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-37f0d6e9",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "59736554295460897491642331698804713990",
"length": 48.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "checkClientTrusted",
"file": "compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-3d393a44",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"line_hashes": [
"240323136977963935955733994265814414506",
"77450349381417500229315584851755576424",
"122968813795290036421129080808410308737",
"116803132009244826589037120721155944648",
"172858239463199452889514877003741758600",
"154384555515982428892808328141021093368",
"104314203763107316335758488159191961285",
"184506603540872416726068598605613817037",
"210361108814957778458373113437675760192",
"120152699919018904358520931399175144980",
"116165338665034305323665091533421537514",
"5454076832748896098871410500994344224",
"249362138761432984204780193809151998162",
"105889930602175759734805724500963922532",
"247080227629734487130115182720212797872",
"266215980354827687587448804262491430628",
"74265161227445934484044402634180666056",
"249333657066564929739381096327043729694",
"133190848611968401098665339681070335638",
"325698835848031003038897713749440938907",
"46764961626991739694184223543217068615",
"138530416315130487974142627289122922517",
"166973837530467447151893379084603992229",
"109135733344301629139384981634033102659",
"138402503816989462146084113071069704398",
"158752575289770739252393434657573749970",
"112595003442186560792462274737139963142",
"175843411347656615092187816001592428047",
"70820188075597862227779019052403011470",
"129490689314668282204597387346618531212",
"57821034017107674145469106581721248647",
"107582272414547877048137300937779479709",
"70009827375430887785460111051505960232",
"86254989117511461412090990461959057432",
"111600203456367221301937889175985621685",
"144321355586215267312650571367068100808",
"30827298710124091488474639471546364980",
"248992596494494732532151638209660552199",
"15262398423771539785958110178965703491",
"130765771688712600518182479435822276343",
"307406620687702604752254784123616224971",
"211478409435677750571228732910561020262",
"270354269327985356860684773595893295542",
"110356399431105161937592771576414346483",
"85070624314345150387287085454546268418",
"129150113918394965823357361011758687910",
"314726687011319292376959365992782315367",
"278459709626077190744096383235526585627",
"156167646061085282448719287560990598394",
"333458675270637655792066847194024407216",
"173309277873117377011165527816033772912",
"81733678895483271294006472590181169357",
"169564049040459535895617949991972243333",
"226379119270026487289349886407322825293",
"103272190675768009922941904208450394568",
"112435547253502735174074337181866428974",
"156160493617538337946680524499891523111"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-43d04ae0",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "59736554295460897491642331698804713990",
"length": 48.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "checkClientTrusted",
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-49e50fb5",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "97250936924521824349175195893844226239",
"length": 45.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "getAcceptedIssuers",
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-4ec790aa",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"line_hashes": [
"277446951348436230754636595331460995595",
"47189821641732184004730827931856324415",
"323376641812689198249276667394681232322",
"233229738582850660158639872677622294989",
"28651101754289646858484704670130028093",
"249534113820262517081751736821517347193",
"288293971037601407110126566604459157949",
"2999859995456291618818103846016386436",
"193622956062761439884508239930420585521",
"219884223737941049088057142988189742324",
"229514479992212992218125965638918969828",
"299654128335211636286224771296189846437",
"71850453706859755558442142400565137825"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/TokenUpdater.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-7b2dc945",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"line_hashes": [
"228389828268307846700251097930586861851",
"13081412514740280464474598279034047588",
"250994280383592520327291737833607802979",
"162061021268664899436383678691357386667",
"258694964582469106981702069752731846106",
"93301875127635655071672120927201643606",
"126403649450382603869563374403399175142",
"126152854225325172869758844673883113441",
"163746988287355005585852320458381845550",
"172951325892561323118226650672134744678",
"200234522235834984762932074908681764290",
"147040186767335179864970030526275722011",
"76295546549959727833004088827005236814",
"178232422166186775538245801428843631190",
"246436397960638452875131000604027724013",
"321839053442365399130246124034114623512",
"203347943185227243209584139715138367912",
"225333153153628145879159807500283936215",
"303608950409057605744864421415840700804",
"42435509244539577690627736679996948199",
"265838802895764656914567365036244031584",
"243492076645303086073193722205480633778",
"133230466807548622376330317605695807044",
"333304371725110000027266122006398988985",
"77773844960301148739744010868599825778",
"165716649850987171530557058403426274699",
"181881574215540289225640725889538576748",
"59241055331452606937252506083935788560",
"154798614656194790430105576139536477557",
"252119199144527057953654412457154128093",
"328019181376612887594796087297606747853",
"138111811732676004108920901228985112744",
"8313156838768051878405815840535859282",
"114137489958952686979430675881387725318",
"79946820313211055600658816979215826388",
"185631615369463951500450598827676239909",
"327222507999333180892012566165626217207",
"53575241258862375798746896656711884739",
"179370813332682885298220744767418621707",
"14640721977768269860400629821890821245",
"247400998320668111819941578584646413961",
"81545376350456299587846709849475781959",
"106292741191617724732978008700445126744"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Pull.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-8bdfcaf1",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"line_hashes": [
"24572574298838596230047925095537063802",
"36329467928914227168120219775243970052",
"42876807165694747253975545062758744933",
"162061021268664899436383678691357386667",
"48875717403766953261123693625531324681",
"83101894808211517656513686954897821610",
"277893901270356612556903249964373466396",
"201656162174403842746436106670032583109",
"20467942205310989776972907595697479127",
"243814720669669174940731092888639069152",
"24239670811593326568055590969311992950",
"49511242055910984050482095069714498256",
"283840354572684905844952508705926041060",
"327712090369867702865113432362221367565",
"175775539777485270307289843614574085973",
"209552912463183082460215738401066202473",
"98023186957540957240540942357372684320",
"251931596299392272451184079317693656608"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "tests/jballerina-integration-test/src/test/java/org/ballerinalang/test/packaging/PackagingTestCase.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-a669cc9c",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"line_hashes": [
"228389828268307846700251097930586861851",
"73694585675166224270223438915506089363",
"152233912486493375041151429049191660746",
"11789193345006942191583127847787613363",
"201944511606860467255843108153068660016",
"112179590448977807083164750277183711029",
"205616849884486043137296837002054401078",
"230729690644901752089494103555728622724",
"267810195553596318608611243410039545889",
"15124694434253086141361875762847269694",
"15974934832676457344825919668842582781",
"260382978021233724005473713699632626658",
"339407058080154045328928754180865428409",
"249362138761432984204780193809151998162",
"95738745935796370452298668672440024667",
"23719286743383408315193425649958770199",
"249410081294376234449532684613293396888",
"131939502110769195797199065027344417710",
"317766986226971184461468177010124446936",
"275090641399072424647285797670024583859",
"116192104654793488934894699657857591915",
"63518483457692527237682259871607039400",
"138530416315130487974142627289122922517",
"166973837530467447151893379084603992229",
"109135733344301629139384981634033102659",
"138402503816989462146084113071069704398",
"336053454713285552139144098458554321499",
"75511518596135205798701595869093941524",
"277315154109006496371400362874668552147",
"157440318559702324116959007144363580367",
"45541009614403741768330819942353672263",
"261952133933767961327254421500434279322",
"122958738766078107174413552922795458366",
"90768367501223219109961810886831586272",
"243522903645507338006129739026817095818",
"217798710955552825652531985087702989651",
"51839861179956546459913659650639415900",
"241946798954780860230606870084143475266",
"286173876077956420924551060404374749758",
"244352028284426028269008207045502869816",
"235330650560820716480893271251810914792",
"205032230206424568386759440079911138148",
"65904203156950750443437992259505307928",
"304835264905626129281695963859617014903",
"215171944475310647765022897464567239946",
"33864309901777724967410613389506446359",
"224735147793051693101568865394539673133",
"220574242063011734645192876238471207947",
"201045479616604760064247288676499379792"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"target": {
"file": "compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-a8d9de61",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "283405098322253846519973403079013164203",
"length": 353.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "initializeSsl",
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-be6e26ae",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "169879272098072302185610886075219759704",
"length": 355.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "execute",
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Search.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-c6ccb656",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "59736554295460897491642331698804713990",
"length": 48.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "checkServerTrusted",
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-de0fa6ed",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "66099232097896639362790510110796053869",
"length": 1222.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "execute",
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Pull.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-e6ce1854",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "135687322152800010441211939147281876709",
"length": 958.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "testPullCount",
"file": "tests/jballerina-integration-test/src/test/java/org/ballerinalang/test/packaging/PackagingTestCase.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-ebb863f9",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "66182466050638019904003281602555412701",
"length": 444.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "URIDryConverter",
"file": "compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"
},
"signature_version": "v1"
},
{
"id": "CVE-2021-32700-f213f9e9",
"source": "https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816",
"digest": {
"function_hash": "211223261439549401858568255042079542642",
"length": 1356.0
},
"signature_type": "Function",
"deprecated": false,
"target": {
"function": "execute",
"file": "cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Push.java"
},
"signature_version": "v1"
}
]