CVE-2019-10753: Incorrect Resource Transfer Between Spheres

September 5, 2019 (updated September 6, 2019)

Spotless was resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In case that any of these artifacts were compromised, any developers using these could be altered.

References

nvd.nist.gov/vuln/detail/CVE-2019-10753

Detect and mitigate CVE-2019-10753 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →