HIGH🇵🇱 Wersja polska

CVE-2017-3160

CVSS 7.4v3.0pub. 2018-02-01upd. 2024-11-21

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Apache Cordova

    APP
    Apache
    < 6.1.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2014-0073CRITICAL9.8ten sam produkt

The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrow...

CVE-2021-21315HIGH7.1⚠ KEVten sam produkt

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of f...

CVE-2014-0072HIGH7.5ten sam produkt

ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer)...

CVE-2016-6799HIGH7.5ten sam produkt

Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages pa...

CVE-2014-1882HIGH7.5ten sam produkt

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intende...