The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.gradle:gradle-core(Maven) | 0 | 6.0 | N/A |
CVSS Metrics
