CVE-2019-10753: Incorrect Resource Transfer Between Spheres

September 5, 2019 (updated September 6, 2019)

Spotless is resolving dependencies over an insecure channel (http). If the build occurred over an insecure connection, a malicious user could perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. If these artifacts were maliciously altered, developers using them could be compromised.

References

nvd.nist.gov/vuln/detail/CVE-2019-10753

Code Behaviors & Features

Detect and mitigate CVE-2019-10753 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →