CVE-2019-10103 (High) detected in multiple libraries
mend-bolt-for-github opened this issue · comments
CVE-2019-10103 - High Severity Vulnerability
Vulnerable Libraries - kotlin-reflect-1.2.10.jar, kotlin-stdlib-1.2.10.jar, kotlin-stdlib-jdk7-1.2.10.jar, kotlin-stdlib-jdk8-1.2.10.jar
kotlin-reflect-1.2.10.jar
Kotlin Full Reflection Library
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.2.10/19bc012f8c4cd6b705bd6512263777cc19bcf259/kotlin-reflect-1.2.10.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.2.10/19bc012f8c4cd6b705bd6512263777cc19bcf259/kotlin-reflect-1.2.10.jar
Dependency Hierarchy:
- kotlin-annotation-processing-gradle-1.2.10.jar (Root Library)
- kotlin-compiler-embeddable-1.2.10.jar
- ❌ kotlin-reflect-1.2.10.jar (Vulnerable Library)
- kotlin-compiler-embeddable-1.2.10.jar
kotlin-stdlib-1.2.10.jar
Kotlin Standard Library
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.10/b9bf650516989595a5390e5a54181e16347208ac/kotlin-stdlib-1.2.10.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.10/b9bf650516989595a5390e5a54181e16347208ac/kotlin-stdlib-1.2.10.jar
Dependency Hierarchy:
- kotlin-annotation-processing-gradle-1.2.10.jar (Root Library)
- ❌ kotlin-stdlib-1.2.10.jar (Vulnerable Library)
kotlin-stdlib-jdk7-1.2.10.jar
Kotlin Standard Library JDK 7 extension
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.2.10/cfe8b616b3bf0811ef70863c86b745a2e767a66e/kotlin-stdlib-jdk7-1.2.10.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.2.10/cfe8b616b3bf0811ef70863c86b745a2e767a66e/kotlin-stdlib-jdk7-1.2.10.jar
Dependency Hierarchy:
- kotlin-stdlib-jdk8-1.2.10.jar (Root Library)
- ❌ kotlin-stdlib-jdk7-1.2.10.jar (Vulnerable Library)
kotlin-stdlib-jdk8-1.2.10.jar
Kotlin Standard Library JDK 8 extension
Library home page: https://kotlinlang.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /downloadResource_8eae9804-db9c-4f3b-9f40-3277ce9c7f2c/20200219163646/kotlin-stdlib-jdk8-1.2.10.jar,/downloadResource_8eae9804-db9c-4f3b-9f40-3277ce9c7f2c/20200219163646/kotlin-stdlib-jdk8-1.2.10.jar
Dependency Hierarchy:
- ❌ kotlin-stdlib-jdk8-1.2.10.jar (Vulnerable Library)
Found in HEAD commit: c268a237f7fa753de2ebd32aff1e5a814be4c0ef
Vulnerability Details
JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.
Publish Date: 2019-07-03
URL: CVE-2019-10103
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10103
Release Date: 2019-07-03
Fix Resolution: 1.3.30
Step up your Open Source Security Game with Mend here