Vulnerabilities > CVE-2017-3160 - Unspecified vulnerability in Apache Cordova

CVSS 7.4 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

high complexity

apache

NVD

Published: 2018-02-01

Updated: 2020-04-15

Summary

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Cordova 0.9.0 Apache Cordova 0.9.1 Apache Cordova 0.9.2 Apache Cordova 0.9.3 Apache Cordova 0.9.4 Apache Cordova 0.9.5 Apache Cordova 0.9.5.1 Apache Cordova 0.9.6 Apache Cordova 0.9.6.1 Apache Cordova 1.0.0 Apache Cordova 1.1.0 Apache Cordova 1.2.0 Apache Cordova 1.3.0 Apache Cordova 1.4.0 Apache Cordova 1.4.1 Apache Cordova 1.5.0 Apache Cordova 1.6.0 Apache Cordova 1.6.1 Apache Cordova 1.7.0 Apache Cordova 1.8.0 Apache Cordova 1.8.1 Apache Cordova 1.9.0 Apache Cordova 2.0.0 Apache Cordova 2.1.0 Apache Cordova 2.2.0 Apache Cordova 2.3.0 Apache Cordova 2.4.0 Apache Cordova 2.5.0 Apache Cordova 2.6.0 Apache Cordova 2.7.0 Apache Cordova 2.8.0 Apache Cordova 2.8.1 Apache Cordova 2.9.0 Apache Cordova 2.9.1 Apache Cordova 3.0.0 Apache Cordova 3.1.0 Apache Cordova 3.2.0 Apache Cordova 3.3.0 Apache Cordova 3.4.0 Apache Cordova 3.5.0 Apache Cordova 3.5.1 Apache Cordova 3.6.0 Apache Cordova 3.6.1 Apache Cordova 3.6.3 Apache Cordova 3.6.4 Apache Cordova 3.7.0 Apache Cordova 3.7.1 Apache Cordova 3.7.2 Apache Cordova 4.0.0 Apache Cordova 4.0.1 Apache Cordova 4.0.2 Apache Cordova 4.1.0 Apache Cordova 4.1.1 Apache Cordova 5.0.0 Apache Cordova 5.1.0 Apache Cordova 5.1.1 Apache Cordova 5.2.0 Apache Cordova 5.2.1 Apache Cordova 5.2.2 Apache Cordova 6.0.0 Apache Cordova 6.1.0 Apache Cordova 6.1.1	93

Seebug

bulletinFamily	exploit
description	#### Product * Apache Cordova #### Vulnerable Version * 6.1.1 (and below) #### Technical Details When adding an Android project for the first time: ‘cordova platform add Android’ Cordova requires Gradle (build tool) to be installed in the local development environment. If the developer had not pre-installed Gradle, the gradle-wrapper component would send a request to download the required build-tool. The problem is that the download directory is sent over HTTP, thus creating a security breach. This breach is highly exploitable and severe since the downloaded file is immediately unzipped and executed by ‘gradle-wrapper’. The vulnerable function is under GradleBuilder.js: ``` GradleBuilder.prototype.prepEnv = function(opts) { var self = this; return check_reqs.check_gradle() [...] var distributionUrlRegex = /distributionUrl.zip/; /jshint -W069 / var distributionUrl = process.env['CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL'] \|\| 'https\\://services.gradle.org/distributions/gradle-2.14.1-all.zip'; [...] }; ``` An attacker with the ability to intercept non-encrypted traffic (MiTM), can hijack the Gradle’s download response, and provide his own file, which allows him to execute code within the developer’s computer. #### Timeline 01-Mar-17: Added as ALEPH-2017013. * 27-Jan-17: Public disclosure.
id	SSV:93101
last seen	2017-11-19
modified	2017-05-12
published	2017-05-12
reporter	Root
title	Cordova-Android MiTM Remote Code Execution(CVE-2017-3160)

Summary

Vulnerable Configurations

Seebug

References