CVE-2017-3160

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-3160
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-3160.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-3160
Published
2018-02-01T21:29:00Z
Modified
2024-09-03T01:50:09.897169Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVAANDROIDGRADLEDISTRIBUTIONURL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip

References

Affected packages

Git / github.com/apache/cordova-android

Affected ranges

Type
GIT
Repo
https://github.com/apache/cordova-android
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.5.1
0.9.6
0.9.6.1

1.*

1.0.0
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.1.0
1.2.0
1.3.0
1.3.0rc1
1.3.0rc2
1.4.0
1.4.0rc1
1.4.1
1.5.0
1.5.0rc1
1.6.0
1.6.0rc1
1.6.1
1.7.0
1.7.0rc1
1.8.0
1.8.0rc1
1.8.1pre
1.9.0
1.9.0rc1

2.*

2.0.0
2.0.0rc1
2.1.0
2.1.0rc1
2.1.0rc2
2.2.0
2.2.0rc1
2.2.0rc2
2.3.0
2.3.0rc1
2.3.0rc2
2.4.0
2.4.0rc1
2.4.0rc2
2.5.0
2.5.0rc1

6.*

6.1.0
6.1.1

Other

CheckIn_node_modules
CheckIn_node_modules_which
Gitignore_node_modules
StablePoC
rel/StablePoC

rel/6.*

rel/6.1.0
rel/6.1.1

v2.*

v2.3.0rc1