Security Features Affecting cordova package, versions [,6.1.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.11% (47th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-CORDOVA-2370305
  • published26 Jan 2022
  • disclosed1 Feb 2018
  • creditUnknown

Introduced: 1 Feb 2018

CVE-2017-3160  (opens in a new tab)
CWE-254  (opens in a new tab)

How to fix?

Upgrade cordova to version 6.1.2 or higher.

Overview

Affected versions of this package are vulnerable to Security Features. After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip

References

CVSS Base Scores

version 3.1