CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11065
https://notcve.org/view.php?id=CVE-2019-11065
Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. Gradle versiones desde la 1.4 hasta la 5.3.1 utilizan una HTTP URL insegura, para descargar dependencias cuando se utilizan los plugins JavaScript o CoffeeScript Gradle incorporados. Los artefactos de dependencia podrían haber sido maliciosamente comprometidos por un ataque del MITM contra el sitio web ajax.googleapis.com. • https://github.com/gradle/gradle/pull/8927 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVXOXNLAYRGPKAZV63PYNV3HF27JW2MW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43P7SVDJOG6OUDVFR4ZIDITZLNHPGTO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQ5CGOV5QVQCSPGE3WRZDKUGIXLHSZDR •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2016-6199
https://notcve.org/view.php?id=CVE-2016-6199
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. ObjectSocketWrapper.java en Gradle 2.12 permite a atacantes remotos ejecutar código arbitrario a través de un objeto serializado manipulado. • https://discuss.gradle.org/t/a-security-issue-about-gradle-rce/17726 https://philwantsfish.github.io/security/java-deserialization-github • CWE-502: Deserialization of Untrusted Data •