Low severityNVD Advisory· Published Sep 16, 2019· Updated Aug 5, 2024
CVE-2019-16370
CVE-2019-16370
Description
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.gradle:gradle-coreMaven | < 6.0 | 6.0 |
Affected products
3- Gradle/Gradledescription
- ghsa-coords2 versions
< 6.0+ 1 more
- (no CPE)range: < 6.0
- (no CPE)range: < 4.4.1-7.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-hhr2-f668-ff2wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16370ghsaADVISORY
- github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2fghsax_refsource_MISCWEB
- github.com/gradle/gradle/pull/10543ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.