CVE-2019-1010260

HIGH

ktlint < 0.30.0 - Remote Code Execution via MITM of HTTP Ruleset Download

Title source: llm
STIX 2.1

Description

Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.

References (1)

Core 1
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/shyiko/ktlint/pull/332

Scores

CVSS v3 8.1
EPSS 0.0148
EPSS Percentile 70.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-319
Status published
Products (2)
com.github.shyiko.ktlint/ktlint-core 0 - 0.30.0Maven
ktlint_project/ktlint < 0.30.0
Published Apr 02, 2019
Tracked Since Feb 18, 2026