CVE-2019-11404 — Missing Encryption of Sensitive Data in arrow-kt Arrow

Description

arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.

How to fix CVE-2019-11404

To remediate CVE-2019-11404, upgrade the affected package to a fixed version below.

—upgrade to 0.9.0 or later

Is CVE-2019-11404 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.9.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-11404
WEBgithub.com/arrow-kt/ank/issues/35
WEBgithub.com/arrow-kt/ank/pull/36
WEBgithub.com/arrow-kt/arrow/commit/74198dab522393487d5344f194dc21208ab71ae8
WEB