CVE-2019-16370

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.

References

Affected packages

Git / github.com/gradle/gradle

Affected ranges

Type

GIT

Repo

https://github.com/gradle/gradle

Events

Introduced

Fixed

0a5b531749138f2f983f7c888fa7790bfc52d88a

Fixed

425b2b7a50cd84106a77cdf1ab665c89c6b14d2f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.0"
        }
    ]
}

Affected versions

REL-0.*

REL-0.8

REL-0.9-preview-1

REL-0.9-preview-2

REL-0.9-preview-3

REL-0.9-rc-1

REL_0.*

REL_0.9

REL_0.9-rc-2

REL_0.9-rc-3

REL_0.9.1

REL_0.9.2

REL_1.*

REL_1.0-milestone-1

REL_1.0-milestone-2

REL_1.0-milestone-3

REL_1.11

REL_1.11-rc-1

REL_1.12

REL_1.12-rc-1

REL_1.12-rc-2

REL_3.*

REL_3.0-milestone-1

v0.*

v0.8

v0.8.0

v0.9

v0.9-RC1

v0.9-RC2

v0.9-RC3

v0.9.0

v0.9.0-RC1

v0.9.0-RC2

v0.9.0-RC3

v0.9.1

v0.9.2

v1.*

v1.0-M1

v1.0-M2

v1.0-M3

v1.0.0-M1

v1.0.0-M2

v1.0.0-M3

v1.11

v1.11-RC1

v1.11.0

v1.11.0-RC1

v1.12

v1.12-RC1

v1.12-RC2

v1.12.0

v1.12.0-RC1

v1.12.0-RC2

v3.*

v3.0.0-M1

v6.*

v6.0.0-RC1

v6.0.0-RC2

v6.0.0-RC3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16370.json"