Описание
Using ktlint to download and execute custom rulesets can result in arbitrary code execution as the served jars can be compromised by a MITM. This attack is exploitable via Man in the Middle of the HTTP connection to the artifact servers. This vulnerability appears to have been fixed in 0.30.0 and later; after commit 5e547b287d6c260d328a2cb658dbe6b7a7ff2261.
Ссылки
- ExploitPatchThird Party Advisory
- ExploitPatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.30.0 (исключая)
cpe:2.3:a:ktlint_project:ktlint:*:*:*:*:*:*:*:*
EPSS
Процентиль: 44%
0.00216
Низкий
8.1 High
CVSS3
9.3 Critical
CVSS2
Дефекты
CWE-319
Связанные уязвимости
CVSS3: 8.1
github
почти 7 лет назад
High severity vulnerability that affects com.github.shyiko.ktlint:ktlint-core
EPSS
Процентиль: 44%
0.00216
Низкий
8.1 High
CVSS3
9.3 Critical
CVSS2
Дефекты
CWE-319