---
layout: post
author:
    name: Steve Gill
    url: https://twitter.com/stevesgill
title:  "Apache Cordova Android 6.1.2 Released"
categories: announcements
tags: news releases security
---

A Security issue was discovered in`cordova-android`. We are releasing `cordova-android@6.1.2` to address this security issue. We recommend that all **Android** applications built using `cordova-android` be upgraded to use version `6.1.2`. Other Cordova platforms such as **iOS** are unaffected, and do not have an update.

When using the Cordova CLI, update with the following command:

    cordova platform update android@6.1.2

The security issue is `CVE-2017-3160`

For your convenience, the text of this CVE is included here.

<!--more-->

____

CVE-2017-3160: Gradle Distribution URL used by Cordova-Android does not use https by default

Severity: 
High

Vendor: 
The Apache Software Foundation

Versions Affected:
Cordova Android (6.1.1 and below)

Description:
After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build.  However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe.  The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched.

Upgrade path:
Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android.

Mitigation Steps:
If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA\_ANDROID\_GRADLE\_DISTRIBUTION\_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip

Credit:
Alon Galili