Severity: CVSS 4.8 (Medium) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (MSRC Low). Attacker: network MITM. Analogue of metalama/Metalama#1655 (transport).
Affected code
UserInterface/PostSharp.Settings/Ceip/UploadManager.cs:32-33,349-365 - serverUrl = new Uri("http://bits.postsharp.net"), BITS upload.
Description
The CEIP/usage/exception package is uploaded via Windows BITS to a hardcoded http:// endpoint. The payload is RSA+AES encrypted (confidentiality preserved; the AES key comes from a CSPRNG), but the transport is unauthenticated cleartext: a network MITM sees upload metadata and can drop/redirect the (encrypted) blob. It is a one-way upload - the HTTP response is not parsed, so there is no inbound injection surface.
Recommendation
Use https:// (BITS supports it); keep the payload encryption as defense in depth.
Backward compatibility
Endpoint scheme change is server-side coordination only; no client API/IL/MSBuild/pipe change.
Severity notes
Body encryption caps impact at metadata exposure plus tamper/drop of already-encrypted telemetry, hence MSRC Low despite the Medium CVSS base.
Resolution
The CEIP upload now uses https://bits.postsharp.net (payload encryption retained as defense in depth). A fix is in progress.
Severity: CVSS 4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N(MSRC Low). Attacker: network MITM. Analogue of metalama/Metalama#1655 (transport).Affected code
UserInterface/PostSharp.Settings/Ceip/UploadManager.cs:32-33,349-365-serverUrl = new Uri("http://bits.postsharp.net"), BITS upload.Description
The CEIP/usage/exception package is uploaded via Windows BITS to a hardcoded http:// endpoint. The payload is RSA+AES encrypted (confidentiality preserved; the AES key comes from a CSPRNG), but the transport is unauthenticated cleartext: a network MITM sees upload metadata and can drop/redirect the (encrypted) blob. It is a one-way upload - the HTTP response is not parsed, so there is no inbound injection surface.
Recommendation
Use
https://(BITS supports it); keep the payload encryption as defense in depth.Backward compatibility
Endpoint scheme change is server-side coordination only; no client API/IL/MSBuild/pipe change.
Severity notes
Body encryption caps impact at metadata exposure plus tamper/drop of already-encrypted telemetry, hence MSRC Low despite the Medium CVSS base.
Resolution
The CEIP upload now uses
https://bits.postsharp.net(payload encryption retained as defense in depth). A fix is in progress.