[EXT_EP-10212] Getting started view has a vulnerability to remote execution with man-in-the-middle attack Created: 14/Jan/21 Updated: 18/Jan/21 Resolved: 14/Jan/21 |
|
| Status: | Fixed |
| Project: | Embedded Software & Tools |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Urgent |
| Reporter: | TI User | Assignee: | TI User |
| Resolution: | Fixed | Votes: | 0 |
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Product: | Code Composer Studio IDE |
| Internal ID: | CCSIDE-3879 |
| Found In Release: | CCS_9.1.0 CCS_9.0.1 CCS 9.2.0 CCS_9.0.0 CCS_8.0.0 CCS_8.1.0 CCS_10.0.0 CCS_8.2.0 CCS_9.3.0 CCS_8.3.0 CCS_10.1.0 |
| Fix In Release: | CCS_10.2.0 CCS_10.1.1 |
| Affected Platform/Device: | Generic |
| Release Notes: | Recommended to upgrade to the CCSv10.1.1 service release or the CCSv10.2.0 product release that have fixes to close this vulnerability. |
| Description |
|
The Getting Started View in Code Composer Studio uses a browser called jxbrowser. When opened this view automatically plays a YouTube video introducing users to the product. The way the browser was configured it did not verify the validity of https connection certificates. This weak authentication issue leaves it vulnerable to a man-in-the-middle attack which could be exploited to perform a live action. |