MitM attack in Grails

Published: 2019-06-11 08:46:15 | Updated: 2019-06-11
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-12728
CVSSv3 5.5 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CWE ID CWE-319
Exploitation vector Local network
Public exploit N/A
Vulnerable software Grails
Vulnerable software versions Grails 3.3.9
Grails 3.3.8
Grails 3.3.7

Show more

Vendor URL Grails

Security Advisory

1) Cleartext transmission of sensitive information

Description

The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the application used cleartext HTTP to resolve the SDKMan notification service. A remote attacker with ability to perform man-in-the-middle (MitM) attack can compromise the affected system by modifying data, passed over HTTP channel. 

Remediation

Install updates from vendor's website.

External links

https://github.com/grails/grails-core/issues/11250
https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability