Name of the Vulnerable Software and Affected Versions Gradle versions prior to 6.3.1 Maven versions prior to 6.3.0

Description The issue arises from the use of repository configurations that download over HTTP instead of HTTPS, making Gradle users susceptible to man-in-the-middle attacks at build time. This could potentially affect a significant number of devices worldwide, although the exact number is not specified. There is no mention of real-world incidents where this issue was exploited.

Recommendations For Gradle versions prior to 6.3.1, update to 6.3.1. For Maven versions prior to 6.3.0, upgrade to 6.3.0. As a temporary workaround for users unable to upgrade, ensure that no Maven repository is used via http in the build file. Replace all custom repository definitions in build.gradle or pom.xml with their https version, such as changing http://repo.spring.io/plugins-release to https://repo.spring.io/plugins-release in the maven { url "https://repo.spring.io/plugins-release" } line.