CVE-2019-11404
HIGHarrow-kt Arrow < 0.9.0 - Missing Encryption of Sensitive Data via HTTP Artifact Resolution
Title source: llmDescription
arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/arrow-kt/arrow/issues/1310
Patch, Third Party Advisory x_refsource_misc
https://github.com/arrow-kt/arrow/commit/74198dab522393487d5344f194dc21208ab71ae8
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/arrow-kt/arrow/releases/tag/0.9.0
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/arrow-kt/ank/issues/35
Patch, Third Party Advisory x_refsource_misc
https://github.com/arrow-kt/ank/pull/36
Scores
CVSS v3
8.1
EPSS
0.0114
EPSS Percentile
62.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-311
Status
published
Products (2)
arrow-kt/arrow
< 0.9.0
io.arrow-kt/arrow-ank-gradle
0 - 0.9.0Maven
Published
Apr 22, 2019
Tracked Since
Feb 18, 2026