CVE-2019-1010260: Cleartext Transmission of Sensitive Information

April 8, 2019 (updated September 17, 2021)

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.

References

github.com/advisories/GHSA-r8h9-hq9c-2p5c
github.com/shyiko/ktlint/pull/332
nvd.nist.gov/vuln/detail/CVE-2019-1010260

Detect and mitigate CVE-2019-1010260 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →