Login Sign Up

CVE-2019-12728

8.1 HIGH

📋 TL;DR

Grails versions before 3.3.10 used unencrypted HTTP connections to communicate with the SDKMan notification service, allowing man-in-the-middle attackers to intercept and potentially modify update notifications. This affects Grails framework installations using the default configuration. Note that this does NOT affect dependency resolution for user applications.

💻 Affected Systems

Products:
  • Grails Framework
Versions: All versions before 3.3.10
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the SDKMan notification service communication, not application dependency resolution. Users' apps were not resolving dependencies over cleartext HTTP.

📦 What is this software?

Grails by Grails

View all CVEs affecting Grails →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept SDKMan notifications and inject malicious update payloads or redirect users to compromised servers, potentially leading to supply chain attacks or credential theft.

🟠

Likely Case

Attackers could intercept update notifications to display fake update messages or redirect users to malicious sites, potentially leading to phishing or malware distribution.

🟢

If Mitigated

With proper network controls and HTTPS enforcement, the risk is limited to potential notification interception without data modification.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires man-in-the-middle position on network path to SDKMan notification service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.10 and later

Vendor Advisory: https://objectcomputing.com/news/2019/05/30/possible-grails-mitm-vulnerability

Restart Required: No

Instructions:

1. Update Grails to version 3.3.10 or later. 2. Run 'grails upgrade' command. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Network-level HTTPS enforcement

all

Configure network firewalls or proxies to block HTTP connections to SDKMan notification endpoints and enforce HTTPS.

Disable SDKMan notifications

all

Configure Grails to disable SDKMan update notifications entirely.

Set 'grails.sdkman.notify=false' in application configuration

🧯 If You Can't Patch

  • Implement network segmentation to isolate Grails systems from untrusted networks
  • Deploy network monitoring to detect HTTP connections to SDKMan notification endpoints

🔍 How to Verify

Check if Vulnerable:

Check Grails version with 'grails --version' and verify it's below 3.3.10

Check Version:

grails --version

Verify Fix Applied:

Verify Grails version is 3.3.10 or higher and check that SDKMan notifications use HTTPS

📡 Detection & Monitoring

Log Indicators:

  • HTTP connections to SDKMan notification endpoints
  • Failed HTTPS connections followed by HTTP fallback

Network Indicators:

  • Outbound HTTP traffic to SDKMan domains on port 80
  • HTTP requests to notification.sdkman.io

SIEM Query:

destination_port:80 AND destination_ip:(SDKMan_IPs) AND protocol:HTTP

📊 Metadata

CVE ID: CVE-2019-12728
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-494
Published: June 4, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-12728, you might also want to check these:

CVE-2020-1210 9.9

This is a critical remote code execution vulnerability in Microsoft SharePoint that allows attackers...

Same vulnerability type (CWE-494)
CVE-2020-1595 9.9

CVE-2020-1595 is a critical remote code execution vulnerability in Microsoft SharePoint where improp...

Same vulnerability type (CWE-494)
CVE-2019-3801 9.8

This vulnerability allows remote attackers to hijack DNS entries for Java dependencies during build ...

Same vulnerability type (CWE-494)