CVE-2019-16370 — Use of a Broken or Risky Cryptographic Algorithm in Gradle

CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-20 — Improper Input Validation11 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

0.2%

top 62.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gradle Debian Gradle

Timeline

PublishedSep 16

Latest updateMay 24

Description

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶NVDgradle/gradle< 6.0

▶debiandebian/gradle< gradle 4.4.1-18 (bookworm)

▶Debiangradle/gradle< 4.4.1-18+2

▶Ubuntugradle/gradle< 4.4.1-5ubuntu2~18.04+esm1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Use of a weak cryptographic algorithm in Gradle↗2022-05-24

▶

OSV

Use of a weak cryptographic algorithm in Gradle↗2022-05-24

▶

OSV

gradle vulnerabilities↗2021-03-15

▶

OSV

CVE-2019-16370: The PGP signing plugin in Gradle before 6↗2019-09-16

▶

📋Vendor Advisories

Ubuntu

Gradle vulnerabilities↗2021-03-15

▶

Red Hat

gradle: PGP signing plugin security bypass↗2019-09-16

▶

Debian

CVE-2019-16370: gradle - The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which...↗2019

▶

💬Community

Bugzilla

CVE-2019-16370 gradle: PGP signing plugin security bypass↗2019-10-07

▶

Bugzilla

CVE-2019-16370 gradle: PGP signing plugin security bypass [epel-6]↗2019-10-07

▶

Bugzilla

CVE-2019-16370 gradle: PGP signing plugin security bypass [fedora-all]↗2019-10-07

▶