[MAVEN:GHSA-PPRQ-4488-WGQX] Insecure transport protocol in Gradle

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.

Package	Affected Version
pkg:maven/org.gradle/gradle-core	>= 1.4, < 5.4.0

Package	Fixed Version
pkg:maven/org.gradle/gradle-core	= 5.4.0

ID

MAVEN:GHSA-PPRQ-4488-WGQX

Severity

moderate

URL

https://github.com/advisories/GHSA-pprq-4488-wgqx

Published

2022-05-13T01:21:57
(2 years ago)

Modified

2023-03-06T20:45:53
(18 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2019-11065
			https://github.com/gradle/gradle/pull/8927
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WVXOXNLAYRGPKAZV63PYNV3HF27JW2MW/
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43P7SVDJOG6OUDVFR4ZIDITZLNHPGTO/
			https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YQ5CGOV5QVQCSPGE3WRZDKUGIXLHSZDR/
			https://github.com/advisories/GHSA-pprq-4488-wgqx

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.gradle/gradle-core	org.gradle	gradle-core	>= 1.4 < 5.4.0
Fixed	pkg:maven/org.gradle/gradle-core	org.gradle	gradle-core	= 5.4.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date