Vulnerability Description
arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Arrow-Kt | Arrow | < 0.9.0 |
Related Weaknesses (CWE)
References
- https://github.com/arrow-kt/ank/issues/35ExploitPatchThird Party Advisory
- https://github.com/arrow-kt/ank/pull/36PatchThird Party Advisory
- https://github.com/arrow-kt/arrow/commit/74198dab522393487d5344f194dc21208ab71aePatchThird Party Advisory
- https://github.com/arrow-kt/arrow/issues/1310ExploitThird Party Advisory
- https://github.com/arrow-kt/arrow/releases/tag/0.9.0Release NotesThird Party Advisory
- https://github.com/arrow-kt/ank/issues/35ExploitPatchThird Party Advisory
- https://github.com/arrow-kt/ank/pull/36PatchThird Party Advisory
- https://github.com/arrow-kt/arrow/commit/74198dab522393487d5344f194dc21208ab71aePatchThird Party Advisory
- https://github.com/arrow-kt/arrow/issues/1310ExploitThird Party Advisory
- https://github.com/arrow-kt/arrow/releases/tag/0.9.0Release NotesThird Party Advisory
FAQ
What is CVE-2019-11404?
CVE-2019-11404 is a vulnerability with a CVSS score of 8.1 (HIGH). arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously com...
How severe is CVE-2019-11404?
CVE-2019-11404 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-11404?
Check the references section above for vendor advisories and patch information. Affected products include: Arrow-Kt Arrow.