CVE-2019-16370

Published: Sep 16, 2019Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.

Affected (1)

Products: Gradle: Gradle

Gradle

1 product

Gradle

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gradle Gradle	Before 6.0

Related CWEs

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

References (4)

https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/gradle/gradle/pull/10543

Source: cve@mitre.org

ExploitPatchThird Party Advisory

https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/gradle/gradle/pull/10543

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

Timeline

No history available yet.