Vulnerability CVE-2019-11404


Published: 2019-04-22

Description:
arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.

Type:

CWE-254

(Security Features)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Arrow-kt -> Arrow 

 References:
https://github.com/arrow-kt/ank/issues/35
https://github.com/arrow-kt/ank/pull/36
https://github.com/arrow-kt/arrow/commit/74198dab522393487d5344f194dc21208ab71ae8
https://github.com/arrow-kt/arrow/issues/1310
https://github.com/arrow-kt/arrow/releases/tag/0.9.0

Copyright 2021, cxsecurity.com

 

Back to Top