VYPR
High severity7.4NVD Advisory· Published Feb 1, 2018· Updated Jun 17, 2026

CVE-2017-3160

CVE-2017-3160

Description

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Apache/Cordova Androidllm-fuzzy2 versions
    <6.1.2+ 1 more
    • (no CPE)range: <6.1.2
    • (no CPE)range: Apache Cordova 6.1.0 and below

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.