OpenCVE

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Cordova

Configuration 1 [-]

cpe:2.3:a:apache:cordova:*:*:*:*:*:android:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/95838
https://cordova.apache.org/announcements/2017/01/27/android-612.html
https://www.oracle.com/security-alerts/cpuapr2020.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2018-02-01T21:00:00Z

Updated: 2024-09-16T19:56:14.676Z

Reserved: 2016-12-05T00:00:00

Link: CVE-2017-3160

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-02-01T21:29:00.197

Modified: 2020-04-15T21:15:19.263

Link: CVE-2017-3160

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Cordova Android", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Cordova 6.1.0 and below"}]}], "datePublic": "2017-01-27T00:00:00", "descriptions": [{"lang": "en", "value": "After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip"}], "problemTypes": [{"descriptions": [{"description": "Man-in-the-Middle vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-15T21:06:41", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://cordova.apache.org/announcements/2017/01/27/android-612.html"}, {"name": "95838", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95838"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-01-27T00:00:00", "ID": "CVE-2017-3160", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Cordova Android", "version": {"version_data": [{"version_value": "Apache Cordova 6.1.0 and below"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Man-in-the-Middle vulnerability"}]}]}, "references": {"reference_data": [{"name": "https://cordova.apache.org/announcements/2017/01/27/android-612.html", "refsource": "MISC", "url": "https://cordova.apache.org/announcements/2017/01/27/android-612.html"}, {"name": "95838", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95838"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:16:28.311Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cordova.apache.org/announcements/2017/01/27/android-612.html"}, {"name": "95838", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95838"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-3160", "datePublished": "2018-02-01T21:00:00Z", "dateReserved": "2016-12-05T00:00:00", "dateUpdated": "2024-09-16T19:56:14.676Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cordova:*:*:*:*:*:android:*:*", "matchCriteriaId": "022BC79F-AC22-41B8-B6AF-BC027E8F38D1", "versionEndExcluding": "6.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip"}, {"lang": "es", "value": "Despu\u00e9s de a\u00f1adir la plataforma Android a Cordova por primera vez o despu\u00e9s de crear un proyecto utilizando los build scripts, los scripts recuperar\u00e1n Gradle en su primera build. Sin embargo, dado que la URI por defecto no utiliza https, es vulnerable a MiTM y el ejecutable Gradle no es seguro. La criticidad de esta vulnerabilidad es alta dado que los build scripts empiezan inmediatamente una build despu\u00e9s de que se recupere Gradle. Los desarrolladores que sean conscientes de este problema deber\u00edan instalar la versi\u00f3n 6.1.2 o superior de Cordova-Android. Si los desarrolladores no pueden instalar la \u00faltima versi\u00f3n, esta vulnerabilidad se puede mitigar f\u00e1cilmente configurando la variable de entorno CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL en https://services.gradle.org/distributions/gradle-2.14.1-all.zip."}], "id": "CVE-2017-3160", "lastModified": "2020-04-15T21:15:19.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-01T21:29:00.197", "references": [{"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95838"}, {"source": "security@apache.org", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://cordova.apache.org/announcements/2017/01/27/android-612.html"}, {"source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}