Grails Cleartext HTTP Information Disclosure Vulnerabilty



A vulnerability in Grails could allow an unauthenticated, remote attacker to compromise or modify files on a targeted system.

The vulnerability exists because the affected software uses cleartext HTTP to resolve the SDKMan notification service. An attacker could exploit this vulnerability by performing a man-in-the-middle attack to compromise or modify files from the targeted system. A successful exploit could be used to conduct further attacks.

Proof-of-concept code that demonstrates an exploit of this vulnerability is available.

Grails has confirmed the vulnerability and released software updates.

Security Impact Rating: High

CVE: CVE-2019-12728

Source:: Cisco Multivendor Vulnerability Alerts