CVE-2019-11404: Missing Encryption of Sensitive Data

April 22, 2019 (updated May 11, 2021)

arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.

References

github.com/advisories/GHSA-rcj2-vvjx-87pm
github.com/arrow-kt/ank/issues/35
github.com/arrow-kt/ank/pull/36
github.com/arrow-kt/arrow/commit/74198dab522393487d5344f194dc21208ab71ae8
github.com/arrow-kt/arrow/issues/1310
github.com/arrow-kt/arrow/releases/tag/0.9.0
nvd.nist.gov/vuln/detail/CVE-2019-11404

Detect and mitigate CVE-2019-11404 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →