CVE-2017-3160

Name of the Vulnerable Software and Affected Versions: Cordova-Android versions prior to 6.1.2

Description: The issue arises when the Android platform is added to Cordova for the first time or after a project is created using the build scripts. The scripts fetch Gradle on the first build, but since the default URI does not use https, it is susceptible to a Man-in-the-Middle (MiTM) attack, making the Gradle executable unsafe. The severity of this issue is high because the build scripts immediately start a build after Gradle has been fetched.

Recommendations: For versions prior to 6.1.2, install version 6.1.2 or higher of Cordova-Android. As a temporary workaround for developers unable to install the latest version, set the CORDOVA ANDROID GRADLE DISTRIBUTION URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip.