{"id":"CVE-2021-32700","details":"Ballerina is an open source programming language and platform for cloud application programmers. Ballerina versions 1.2.x and SL releases up to alpha 3 have a potential for a supply chain attack via MiTM against users. Http connections did not make use of TLS and certificate checking was ignored. The vulnerability allows an attacker to substitute or modify packages retrieved from BC thus allowing to inject malicious code into ballerina executables. This has been patched in Ballerina 1.2.14 and Ballerina SwanLake alpha4.","modified":"2026-04-12T19:50:00.915460Z","published":"2021-06-22T20:15:08.637Z","related":["GHSA-f5qg-fqrw-v5ww"],"references":[{"type":"ADVISORY","url":"https://github.com/ballerina-platform/ballerina-lang/security/advisories/GHSA-f5qg-fqrw-v5ww"},{"type":"FIX","url":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ballerina-platform/ballerina-lang","events":[{"introduced":"0"},{"fixed":"296d1d7c535d31e7dfe610909ca11e0ea24f7088"},{"introduced":"0"},{"last_affected":"2811322600380756c0804448324d7e634637e3c3"},{"introduced":"0"},{"last_affected":"2811322600380756c0804448324d7e634637e3c3"},{"introduced":"0"},{"last_affected":"2811322600380756c0804448324d7e634637e3c3"},{"fixed":"4609ffee1744ecd16aac09303b1783bf0a525816"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.14"},{"introduced":"0"},{"last_affected":"alpha1"},{"introduced":"0"},{"last_affected":"alpha2"},{"introduced":"0"},{"last_affected":"alpha3"}]}}],"versions":["jdk-1.8","v0.970.0-SNAPSHOT.180329212739","v0.970.0-SNAPSHOT.1803302831","v1.2.0","v1.2.9","vswan-lake-preview7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32700.json","vanir_signatures_modified":"2026-04-12T19:50:00Z","vanir_signatures":[{"signature_type":"Function","target":{"function":"getAcceptedIssuers","file":"compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-085ca1cb","signature_version":"v1","digest":{"length":45,"function_hash":"97250936924521824349175195893844226239"}},{"signature_type":"Line","target":{"file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Push.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-120d5397","signature_version":"v1","digest":{"line_hashes":["228389828268307846700251097930586861851","13081412514740280464474598279034047588","250994280383592520327291737833607802979","162061021268664899436383678691357386667","224117929820807543500569094850491239774","195711397869864078581036163695727391033","72290392899678749006878818007455465940","302126381794142603175133138029228411995","181120561898736477588405843984033898107","54706929500258734839080494539924724018","200234522235834984762932074908681764290","147040186767335179864970030526275722011","224044284986984483659218476977823775108","177006760184443351558713593434912116137","102855397252877801711730955326544224226","67649531808842818465550526307603141394","7303063757839578978246738029641676006","44748734577433951717067127757192340555","107424180792845869545439269733601339891","203479053389690415297068609213532505061","272934418803472540093913479932481716129","133821237896050859302736192152133517262","335499025711110133337351131751679731352","13909164821339746936605242124643338635","104814362997758487343360914988395080235","216683731779472754790875278924242114623","106945143412012216484977120130641960801","242871162034582878994204753566760452261","143803740464925787281241680077231007957","79634753605868049936800243781439826674","274979491492732150893682021185412697945"],"threshold":0.9}},{"signature_type":"Function","target":{"function":"checkServerTrusted","file":"compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-13814d5c","signature_version":"v1","digest":{"length":48,"function_hash":"59736554295460897491642331698804713990"}},{"signature_type":"Line","target":{"file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Search.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-17c0aeeb","signature_version":"v1","digest":{"line_hashes":["228389828268307846700251097930586861851","13081412514740280464474598279034047588","46933933436038143166469186396408550753","131667121661962643116797333680303952464","56897048003264067473447656292519293179","171343836637834910748135288703538050548","190771426941226481145012396021542092418","227690555787625813185677651052445413686","200234522235834984762932074908681764290","147040186767335179864970030526275722011","140946155583230792681679846520664251614","22384366167360447425723028836806054217","145806832822413010778864694309758502814","186947657376250771893126871409240882529","24816320428253872335820703970660632672","44748734577433951717067127757192340555","221659159364251923301169988394837217067","155522693108991895839869946700750865649","163037999644359427905086510450126223346","265899488172159373035088279547445284640","337683468770870465419855223884664312514","176783853426302107935318836965217400895","11510843840355355879493906078905376354","15463608466701215683642545618305195355","321692600109211451949678599398884496635"],"threshold":0.9}},{"signature_type":"Line","target":{"file":"cli/ballerina-cli-module/src/test/java/org/ballerinalang/cli/module/UtilsTest.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-28a6f590","signature_version":"v1","digest":{"line_hashes":["199600275465600081034058132341130464140","90594474722853072520312699102224774358","75324344060246797009986553218221854262","232065225700029622763846038758755916389","87935174336259653407909313512169922274","40336379058214772823505704796350782959","48082161765409715421459381347570408490","338371627924861857862279524299511921507","86196498692912032858183865851597944235","77926267242000833196059894425362114825","256937432048922214558269223612813704338","288229360889411426586105870409001302609","40252286632764156260414924698481078444","284904587426335055019610704043319049133","299129241037122953077644342540075240205","13485021421777011880159753168906972759","187445896329931529669193015364824871146","497666000163226984802854905221657295","228146344350543261671247338391502453368","322935352237039063154784824540319748927","148773204688191369310689450322251109482"],"threshold":0.9}},{"signature_type":"Function","target":{"function":"handle","file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/TokenUpdater.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-316e38a1","signature_version":"v1","digest":{"length":1619,"function_hash":"236136853907640659721725130746821823407"}},{"signature_type":"Function","target":{"function":"checkClientTrusted","file":"compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-37f0d6e9","signature_version":"v1","digest":{"length":48,"function_hash":"59736554295460897491642331698804713990"}},{"signature_type":"Line","target":{"file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-3d393a44","signature_version":"v1","digest":{"line_hashes":["240323136977963935955733994265814414506","77450349381417500229315584851755576424","122968813795290036421129080808410308737","116803132009244826589037120721155944648","172858239463199452889514877003741758600","154384555515982428892808328141021093368","104314203763107316335758488159191961285","184506603540872416726068598605613817037","210361108814957778458373113437675760192","120152699919018904358520931399175144980","116165338665034305323665091533421537514","5454076832748896098871410500994344224","249362138761432984204780193809151998162","105889930602175759734805724500963922532","247080227629734487130115182720212797872","266215980354827687587448804262491430628","74265161227445934484044402634180666056","249333657066564929739381096327043729694","133190848611968401098665339681070335638","325698835848031003038897713749440938907","46764961626991739694184223543217068615","138530416315130487974142627289122922517","166973837530467447151893379084603992229","109135733344301629139384981634033102659","138402503816989462146084113071069704398","158752575289770739252393434657573749970","112595003442186560792462274737139963142","175843411347656615092187816001592428047","70820188075597862227779019052403011470","129490689314668282204597387346618531212","57821034017107674145469106581721248647","107582272414547877048137300937779479709","70009827375430887785460111051505960232","86254989117511461412090990461959057432","111600203456367221301937889175985621685","144321355586215267312650571367068100808","30827298710124091488474639471546364980","248992596494494732532151638209660552199","15262398423771539785958110178965703491","130765771688712600518182479435822276343","307406620687702604752254784123616224971","211478409435677750571228732910561020262","270354269327985356860684773595893295542","110356399431105161937592771576414346483","85070624314345150387287085454546268418","129150113918394965823357361011758687910","314726687011319292376959365992782315367","278459709626077190744096383235526585627","156167646061085282448719287560990598394","333458675270637655792066847194024407216","173309277873117377011165527816033772912","81733678895483271294006472590181169357","169564049040459535895617949991972243333","226379119270026487289349886407322825293","103272190675768009922941904208450394568","112435547253502735174074337181866428974","156160493617538337946680524499891523111"],"threshold":0.9}},{"signature_type":"Function","target":{"function":"checkClientTrusted","file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-43d04ae0","signature_version":"v1","digest":{"length":48,"function_hash":"59736554295460897491642331698804713990"}},{"signature_type":"Function","target":{"function":"getAcceptedIssuers","file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-49e50fb5","signature_version":"v1","digest":{"length":45,"function_hash":"97250936924521824349175195893844226239"}},{"signature_type":"Line","target":{"file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/TokenUpdater.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-4ec790aa","signature_version":"v1","digest":{"line_hashes":["277446951348436230754636595331460995595","47189821641732184004730827931856324415","323376641812689198249276667394681232322","233229738582850660158639872677622294989","28651101754289646858484704670130028093","249534113820262517081751736821517347193","288293971037601407110126566604459157949","2999859995456291618818103846016386436","193622956062761439884508239930420585521","219884223737941049088057142988189742324","229514479992212992218125965638918969828","299654128335211636286224771296189846437","71850453706859755558442142400565137825"],"threshold":0.9}},{"signature_type":"Line","target":{"file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Pull.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-7b2dc945","signature_version":"v1","digest":{"line_hashes":["228389828268307846700251097930586861851","13081412514740280464474598279034047588","250994280383592520327291737833607802979","162061021268664899436383678691357386667","258694964582469106981702069752731846106","93301875127635655071672120927201643606","126403649450382603869563374403399175142","126152854225325172869758844673883113441","163746988287355005585852320458381845550","172951325892561323118226650672134744678","200234522235834984762932074908681764290","147040186767335179864970030526275722011","76295546549959727833004088827005236814","178232422166186775538245801428843631190","246436397960638452875131000604027724013","321839053442365399130246124034114623512","203347943185227243209584139715138367912","225333153153628145879159807500283936215","303608950409057605744864421415840700804","42435509244539577690627736679996948199","265838802895764656914567365036244031584","243492076645303086073193722205480633778","133230466807548622376330317605695807044","333304371725110000027266122006398988985","77773844960301148739744010868599825778","165716649850987171530557058403426274699","181881574215540289225640725889538576748","59241055331452606937252506083935788560","154798614656194790430105576139536477557","252119199144527057953654412457154128093","328019181376612887594796087297606747853","138111811732676004108920901228985112744","8313156838768051878405815840535859282","114137489958952686979430675881387725318","79946820313211055600658816979215826388","185631615369463951500450598827676239909","327222507999333180892012566165626217207","53575241258862375798746896656711884739","179370813332682885298220744767418621707","14640721977768269860400629821890821245","247400998320668111819941578584646413961","81545376350456299587846709849475781959","106292741191617724732978008700445126744"],"threshold":0.9}},{"signature_type":"Line","target":{"file":"tests/jballerina-integration-test/src/test/java/org/ballerinalang/test/packaging/PackagingTestCase.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-8bdfcaf1","signature_version":"v1","digest":{"line_hashes":["24572574298838596230047925095537063802","36329467928914227168120219775243970052","42876807165694747253975545062758744933","162061021268664899436383678691357386667","48875717403766953261123693625531324681","83101894808211517656513686954897821610","277893901270356612556903249964373466396","201656162174403842746436106670032583109","20467942205310989776972907595697479127","243814720669669174940731092888639069152","24239670811593326568055590969311992950","49511242055910984050482095069714498256","283840354572684905844952508705926041060","327712090369867702865113432362221367565","175775539777485270307289843614574085973","209552912463183082460215738401066202473","98023186957540957240540942357372684320","251931596299392272451184079317693656608"],"threshold":0.9}},{"signature_type":"Line","target":{"file":"compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-a669cc9c","signature_version":"v1","digest":{"line_hashes":["228389828268307846700251097930586861851","73694585675166224270223438915506089363","152233912486493375041151429049191660746","11789193345006942191583127847787613363","201944511606860467255843108153068660016","112179590448977807083164750277183711029","205616849884486043137296837002054401078","230729690644901752089494103555728622724","267810195553596318608611243410039545889","15124694434253086141361875762847269694","15974934832676457344825919668842582781","260382978021233724005473713699632626658","339407058080154045328928754180865428409","249362138761432984204780193809151998162","95738745935796370452298668672440024667","23719286743383408315193425649958770199","249410081294376234449532684613293396888","131939502110769195797199065027344417710","317766986226971184461468177010124446936","275090641399072424647285797670024583859","116192104654793488934894699657857591915","63518483457692527237682259871607039400","138530416315130487974142627289122922517","166973837530467447151893379084603992229","109135733344301629139384981634033102659","138402503816989462146084113071069704398","336053454713285552139144098458554321499","75511518596135205798701595869093941524","277315154109006496371400362874668552147","157440318559702324116959007144363580367","45541009614403741768330819942353672263","261952133933767961327254421500434279322","122958738766078107174413552922795458366","90768367501223219109961810886831586272","243522903645507338006129739026817095818","217798710955552825652531985087702989651","51839861179956546459913659650639415900","241946798954780860230606870084143475266","286173876077956420924551060404374749758","244352028284426028269008207045502869816","235330650560820716480893271251810914792","205032230206424568386759440079911138148","65904203156950750443437992259505307928","304835264905626129281695963859617014903","215171944475310647765022897464567239946","33864309901777724967410613389506446359","224735147793051693101568865394539673133","220574242063011734645192876238471207947","201045479616604760064247288676499379792"],"threshold":0.9}},{"signature_type":"Function","target":{"function":"initializeSsl","file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-a8d9de61","signature_version":"v1","digest":{"length":353,"function_hash":"283405098322253846519973403079013164203"}},{"signature_type":"Function","target":{"function":"execute","file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Search.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-be6e26ae","signature_version":"v1","digest":{"length":355,"function_hash":"169879272098072302185610886075219759704"}},{"signature_type":"Function","target":{"function":"checkServerTrusted","file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/util/Utils.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-c6ccb656","signature_version":"v1","digest":{"length":48,"function_hash":"59736554295460897491642331698804713990"}},{"signature_type":"Function","target":{"function":"execute","file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Pull.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-de0fa6ed","signature_version":"v1","digest":{"length":1222,"function_hash":"66099232097896639362790510110796053869"}},{"signature_type":"Function","target":{"function":"testPullCount","file":"tests/jballerina-integration-test/src/test/java/org/ballerinalang/test/packaging/PackagingTestCase.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-e6ce1854","signature_version":"v1","digest":{"length":958,"function_hash":"135687322152800010441211939147281876709"}},{"signature_type":"Function","target":{"function":"URIDryConverter","file":"compiler/ballerina-lang/src/main/java/org/wso2/ballerinalang/compiler/packaging/converters/URIDryConverter.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-ebb863f9","signature_version":"v1","digest":{"length":444,"function_hash":"66182466050638019904003281602555412701"}},{"signature_type":"Function","target":{"function":"execute","file":"cli/ballerina-cli-module/src/main/java/org/ballerinalang/cli/module/Push.java"},"deprecated":false,"source":"https://github.com/ballerina-platform/ballerina-lang/commit/4609ffee1744ecd16aac09303b1783bf0a525816","id":"CVE-2021-32700-f213f9e9","signature_version":"v1","digest":{"length":1356,"function_hash":"211223261439549401858568255042079542642"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}