Vulnerability Details : CVE-2019-11404
arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.
Products affected by CVE-2019-11404
- cpe:2.3:a:arrow-kt:arrow:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11404
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11404
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
MITRE | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2019-11404
-
The product does not encrypt sensitive or critical information before storage or transmission.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-11404
-
https://github.com/arrow-kt/arrow/releases/tag/0.9.0
Release Release 0.9.0 · arrow-kt/arrow · GitHubRelease Notes;Third Party Advisory
-
https://github.com/arrow-kt/ank/pull/36
Download Dependencies over HTTPS by JLLeitschuh · Pull Request #36 · arrow-kt/ank · GitHubPatch;Third Party Advisory
-
https://github.com/arrow-kt/arrow/issues/1310
[CVE-2019-11404][SECURITY] Releases are built/executed/released in the context of insecure/untrusted code · Issue #1310 · arrow-kt/arrow · GitHubExploit;Third Party Advisory
-
https://github.com/arrow-kt/ank/issues/35
[SECURITY] Releases are built/executed/released in the context of insecure/untrusted code · Issue #35 · arrow-kt/ank · GitHubExploit;Patch;Third Party Advisory
-
https://github.com/arrow-kt/arrow/commit/74198dab522393487d5344f194dc21208ab71ae8
Fix some http vulnerabilities · arrow-kt/arrow@74198da · GitHubPatch;Third Party Advisory
Jump to