Multiple vulnerabilities in Google, kotlin
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Cryptographic issues
EUVDB-ID: #VU35763
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-10101
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.
MitigationInstall update from vendor's website.
Vulnerable software versionskotlin: 1.3.0 - 1.3.21
CPE2.3- cpe:2.3::google:kotlin:1.3.0:*:*:*:*:*:*:*
- cpe:2.3::google:kotlin:1.3.10:*:*:*:*:*:*:*
- cpe:2.3::google:kotlin:1.3.11:*:*:*:*:*:*:*
https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
https://medium.com/bugbountywriteup/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU35764
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-10102
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. This issue was fixed in Kotlin plugin version 1.3.30.
MitigationInstall update from vendor's website.
Vulnerable software versionskotlin: 1.3.0 - 1.3.21
CPE2.3- cpe:2.3::google:kotlin:1.3.0:*:*:*:*:*:*:*
- cpe:2.3::google:kotlin:1.3.10:*:*:*:*:*:*:*
- cpe:2.3::google:kotlin:1.3.11:*:*:*:*:*:*:*
https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU35765
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-10103
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.
MitigationInstall update from vendor's website.
Vulnerable software versionskotlin: 1.3.0 - 1.3.21
CPE2.3- cpe:2.3::google:kotlin:1.3.0:*:*:*:*:*:*:*
- cpe:2.3::google:kotlin:1.3.10:*:*:*:*:*:*:*
- cpe:2.3::google:kotlin:1.3.11:*:*:*:*:*:*:*
https://blog.jetbrains.com/blog/2019/06/19/jetbrains-security-bulletin-q1-2019/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
