Public Disclosure of a fixed JetBrains/Kotlin security vulnerability
This writeup is the result of ~ 4 months of research into the software security of the JVM ecosystem's supply chain impacting Gradle, Maven, and SBT users. What I found was quite disturbing. A huge swath of the JVM ecosystem and many of the most popular libraries were all downloading their dependencies over HTTP instead of HTTPS. This also impacted many JetBrains projects including several IntelliJ plugins and the Kotlin Compiler.
_Action steps for readers_: Please go check your builds and fix them if they are using
I want to thank @Yaroslav Russkih
and the entire JetBrains/Kotlin team for being awesome to work with on this security vulnerability. They jumped on it very quickly and began patching all of their repositories swiftly. I believe we've gotten all of them, but if you spot something contact firstname.lastname@example.org