ID CVE-2021-29427
Summary In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.
References
Vulnerable Configurations
  • cpe:2.3:a:gradle:gradle:5.1.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.1.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.1.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.1.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.1.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.1.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.1.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.2.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.2.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.2.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.3.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.3.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.3.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.3.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.3.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.3.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.3.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.3.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.4.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.4.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.4.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.4.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.5.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.5.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.5.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.5.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.5.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.5.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.5.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.5.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.5.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.5.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.6:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.6.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.6.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.6.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.6.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.6.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.6.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:5.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:5.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.1.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.1.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.1.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.1.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.1.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.1.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.1.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.1.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.1.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.1.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.1.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.1.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.1.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.2.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.2.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.2.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.2.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.2.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.2.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.2.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.3.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.3.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.3.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.3.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.3.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.3.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.3.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.3.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.3.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.3.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.4.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.4.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.4.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.4.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.4.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.4.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.4.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.4.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.4.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.4.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.5.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.5.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.5.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.5.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.5.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.5.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.5.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.5.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.0:rc6:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.0:rc6:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.7.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.7.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.7.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.7.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.7.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.7.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.7.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.7.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.7.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.7.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.7.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.7.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.0:-:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.0:-:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.0:milestone1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.0:milestone1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.0:milestone2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.0:milestone2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.0:milestone3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.0:milestone3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.0:rc5:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.0:rc5:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:gradle:gradle:6.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:gradle:gradle:6.8.2:*:*:*:*:*:*:*
CVSS
Base: 6.0 (as of 05-05-2021 - 18:41)
Impact:
Exploitability:
CWE CWE-829
CAPEC
  • Force Use of Corrupted Files
    This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible.
  • Code Inclusion
    An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
  • DTD Injection
    An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.
  • PHP Local File Inclusion
    The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
  • Local Code Inclusion
    The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
  • Local Execution of Code
    An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.
  • Remote Code Inclusion
    The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.
  • XML Entity Linking
    An attacker creates an XML document that contains an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections.
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:S/C:P/I:P/A:P
Last major update 05-05-2021 - 18:41
Published 13-04-2021 - 20:15
Last modified 05-05-2021 - 18:41
Back to Top