CVE-2017-3160

4 documents4 sources
Severity
7.4HIGH
EPSS
0.3%
top 43.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache CordovaApache Software Foundation Apache Cordova Android
Timeline
PublishedFeb 1
Latest updateMay 13

Description

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

CVEListV5apache_software_foundation/apache_cordova_androidApache Cordova 6.1.0 and below
NVDapache/cordova< 6.1.2

🔴Vulnerability Details

2
GHSA
GHSA-vjv5-2xqq-c8vh: After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on2022-05-13
CVEList
CVE-2017-3160: After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on2018-02-01

📋Vendor Advisories

1
Oracle
Oracle Oracle Retail Applications Risk Matrix: Xstore Services (Apache Cordova) — CVE-2017-31602020-04-15
CVE-2017-3160 (HIGH CVSS 7.4) | After the Android platform is added | cvebase.io