CVE-2019-11404

arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
arrow-ktarrow
𝑥
< 0.9.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/arrow-kt/ank/issues/35
https://github.com/arrow-kt/ank/pull/36
https://github.com/arrow-kt/arrow/commit/74198dab522393487d5344f194dc21208ab71ae8
https://github.com/arrow-kt/arrow/issues/1310
https://github.com/arrow-kt/arrow/releases/tag/0.9.0
https://github.com/arrow-kt/ank/issues/35
https://github.com/arrow-kt/ank/pull/36
https://github.com/arrow-kt/arrow/commit/74198dab522393487d5344f194dc21208ab71ae8
https://github.com/arrow-kt/arrow/issues/1310
https://github.com/arrow-kt/arrow/releases/tag/0.9.0