https://bugzilla.redhat.com/show_bug.cgi?id=1698508
Bug ID: 1698508 Summary: CVE-2019-11065 gradle: Insecure HTTP URL used to download dependencies leading to possibly maliciously compromised artifacts. Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190409,reported=20190410,sou rce=internet,cvss3=8.1/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S: U/C:H/I:H/A:N,cwe=CWE-345,fedora-28/gradle=affected,fe dora-29/gradle=affected,epel-6/gradle=affected,jbews-3 /gradle=new Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: mrehak@redhat.com CC: csutherl@redhat.com, dan@danieljamesscott.org, gzaronik@redhat.com, java-sig-commits@lists.fedoraproject.org, jclere@redhat.com, jjelen@redhat.com, lgao@redhat.com, lkundrak@v3.sk, mbabacek@redhat.com, mizdebsk@redhat.com, msimacek@redhat.com, myarboro@redhat.com, stewardship-sig@lists.fedoraproject.org, twalsh@redhat.com, weli@redhat.com Target Milestone: --- Classification: Other
Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.
External Referencies: https://nvd.nist.gov/vuln/detail/CVE-2019-11065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11065
Upstream Repository: https://github.com/gradle/gradle/pull/8927