A Security issue was discovered in
cordova-android. We are releasing
firstname.lastname@example.org to address this security issue. We recommend that all Android applications built using
cordova-android be upgraded to use version
6.1.2. Other Cordova platforms such as iOS are unaffected, and do not have an update.
When using the Cordova CLI, update with the following command:
cordova platform update email@example.com
The security issue is
For your convenience, the text of this CVE is included here.
CVE-2017-3160: Gradle Distribution URL used by Cordova-Android does not use https by default
Vendor: The Apache Software Foundation
Versions Affected: Cordova Android (6.1.1 and below)
Description: After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched.
Upgrade path: Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android.
Mitigation Steps: If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip
Credit: Alon Galili