CVE-2019-16370
Medium
Low
Medium
High
Critical
5.9
CVSS Score
Vulnerability Description
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
N
Attack Complexity
H
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
N
Integrity
H
Availability
N
Oracle
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
Severity
Critical
Released
Jan 21, 2025
Restart Required
Security Update
References & Resources
-
https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2fcve@mitre.org Patch Third Party Advisory
-
https://github.com/gradle/gradle/pull/10543cve@mitre.org Exploit Patch Third Party Advisory
-
https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2faf854a3a-2127-422b-91ae-364da2661108 Patch Third Party Advisory
-
https://github.com/gradle/gradle/pull/10543af854a3a-2127-422b-91ae-364da2661108 Exploit Patch Third Party Advisory
Severity Details
5.9
out of 10.0
Medium
Weakness Type (CWE)
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
- Description
- The product uses a broken or risky cryptographic algorithm or protocol.
- Exploit Likelihood
- High
- Typical Severity
- Medium
- Abstraction Level
- Class
Key Information
- Published Date
- September 16, 2019
