VYPR
← All advisories
Moderate severityOSV Advisory· Published Apr 21, 2019· Updated Aug 4, 2024

CVE-2019-11404

CVE-2019-11404

Description

arrow-kt Arrow before 0.9.0 resolved Gradle build artifacts (for compiling and building the published JARs) over HTTP instead of HTTPS. Any of these dependent artifacts could have been maliciously compromised by an MITM attack.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.arrow-kt:arrow-ank-gradleMaven
< 0.9.00.9.0

Affected products

1

Patches

1
74198dab5223

Fix some http vulnerabilities

https://github.com/arrow-kt/arrowPacoFeb 19, 2019via ghsa
commit
1 file changed · +4 4
  • build.gradle+4 4 modified
    @@ -39,7 +39,7 @@ buildscript {
             url "https://plugins.gradle.org/m2/"
         }
         jcenter()
-        maven { url "http://dl.bintray.com/kotlin/kotlin-dev" }
+        maven { url "https://dl.bintray.com/kotlin/kotlin-dev" }
         maven { url "https://dl.bintray.com/jetbrains/markdown/" }
         maven { url "https://dl.bintray.com/arrow-kt/arrow-kt/" }
     }
@@ -69,8 +69,8 @@ allprojects {
     repositories {
         jcenter()
         maven { url 'https://kotlin.bintray.com/kotlinx' }
-        maven { url "http://dl.bintray.com/kotlin/kotlin-dev" }
-        maven { url "http://dl.bintray.com/arrow-kt/arrow-kt" }
+        maven { url "https://dl.bintray.com/kotlin/kotlin-dev" }
+        maven { url "https://dl.bintray.com/arrow-kt/arrow-kt" }
         maven { url "https://dl.bintray.com/jetbrains/markdown/" }
     }
 }
@@ -252,4 +252,4 @@ dependencyUpdates {
 
 task checkDependenciesVersion {
     dependsOn dependencyUpdates
-}
\ No newline at end of file
+}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.