CVE-2019-16370
MEDIUMGradle < 6.0 - Use of a Broken or Risky Cryptographic Algorithm via SHA-1 in PGP Signing Plugin
Title source: llmDescription
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.
References (2)
Core 2
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/gradle/gradle/pull/10543
Patch, Third Party Advisory x_refsource_misc
https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f
Scores
CVSS v3
5.9
EPSS
0.0103
EPSS Percentile
59.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-327
Status
published
Products (2)
gradle/gradle
< 6.0
org.gradle/gradle-core
0 - 6.0Maven
Published
Sep 16, 2019
Tracked Since
Feb 18, 2026