CVE-2019-10101 (High) detected in kotlin-reflect-1.2.21.jar - autoclosed

[mend-bolt-for-github[bot]]

CVE-2019-10101 - High Severity Vulnerability

Vulnerable Library - kotlin-reflect-1.2.21.jar

Kotlin Full Reflection Library

Path to dependency file: maas-mapping-android-sdk/Samples/kotlin/build.gradle

Path to vulnerable library: /tmp/ws-ua_20200804163015_TXPFBI/downloadResource_VGDMHH/20200804163149/kotlin-reflect-1.2.21.jar

Dependency Hierarchy: - kotlin-stdlib-1.3.70.jar (Root Library) - moshi-kotlin-1.6.0.jar - :x: **kotlin-reflect-1.2.21.jar** (Vulnerable Library)

Found in HEAD commit: 6baccbbedd8c32dde9860ebe785b0b1d46c9c49c

Vulnerability Details

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

Publish Date: 2019-07-03

URL: CVE-2019-10101

CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10101

Release Date: 2019-07-03

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.