| ID |
CVE-2022-25364
|
| Summary |
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.) |
| References |
|
| Vulnerable Configurations |
|
| CVSS |
| Base: | 9.3 (as of 10-05-2022 - 15:33) |
| Impact: | |
| Exploitability: | |
|
| CWE |
CWE-863 |
| CAPEC |
|
| Access |
| Vector | Complexity | Authentication |
| NETWORK |
MEDIUM |
NONE |
|
| Impact |
| Confidentiality | Integrity | Availability |
| COMPLETE |
COMPLETE |
COMPLETE |
|
| cvss-vector
via4
|
AV:N/AC:M/Au:N/C:C/I:C/A:C
|
| Last major update |
10-05-2022 - 15:33 |
| Published |
17-03-2022 - 17:15 |
| Last modified |
10-05-2022 - 15:33 |
