Lucene search

GitHub Advisory DatabaseGHSA-PMXF-4V8C-RWR7

HistoryMay 24, 2022 - 4:47 p.m.

Incorrect Resource Transfer Between Spheres in Grails

2022-05-2416:47:09

CWE-494

CWE-669

GitHub Advisory Database

github.com

grails

resource transfer

cleartext http

sdkman

security vulnerability

software

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

74.8%

JSON

Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users’ apps were not resolving dependencies over cleartext HTTP.

Affected configurations

Vulners

Node

org.grailsgrails-coreRange<3.3.10

VendorProductVersionCPE
org.grailsgrails-core*cpe:2.3:a:org.grails:grails-core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.grails	grails-core	*	cpe:2.3:a:org.grails:grails-core::::::::

References

github.com/advisories/GHSA-pmxf-4v8c-rwr7

github.com/grails/grails-core/issues/11250

nvd.nist.gov/vuln/detail/CVE-2019-12728

objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.004

Percentile

74.8%

JSON

Related for GHSA-PMXF-4V8C-RWR7