Vulnerabilites related to gradle - enterprise
CVE-2020-15774 (GCVE-0-2020-15774)
Vulnerability from cvelistv5
Published
2020-09-18 13:20
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15774 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15774"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T21:02:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15774"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15774",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15774",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15774"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15774",
"datePublished": "2020-09-18T13:20:23",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41590 (GCVE-0-2021-41590)
Vulnerability from cvelistv5
Published
2021-10-27 13:20
Modified
2024-08-04 03:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be used to identify the listening TCP ports available to the server, revealing information about the internal network environment.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.gradle.com | x_refsource_MISC | |
| https://security.gradle.com/advisory/2021-07 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:15:29.051Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/2021-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be used to identify the listening TCP ports available to the server, revealing information about the internal network environment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-27T13:20:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com/advisory/2021-07"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41590",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be used to identify the listening TCP ports available to the server, revealing information about the internal network environment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.gradle.com",
"refsource": "MISC",
"url": "https://security.gradle.com"
},
{
"name": "https://security.gradle.com/advisory/2021-07",
"refsource": "MISC",
"url": "https://security.gradle.com/advisory/2021-07"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41590",
"datePublished": "2021-10-27T13:20:17",
"dateReserved": "2021-09-24T00:00:00",
"dateUpdated": "2024-08-04T03:15:29.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15768 (GCVE-0-2020-15768)
Vulnerability from cvelistv5
Published
2020-09-18 13:12
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS vulnerability. This potentially allows an attacker to impersonate another user. Gradle Enterprise affected application request paths:/info/headers, /cache-info/headers, /admin-info/headers, /distribution-broker-info/headers. Gradle Enterprise Build Cache Node affected application request paths:/cache-node-info/headers.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15768 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15768"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS vulnerability. This potentially allows an attacker to impersonate another user. Gradle Enterprise affected application request paths:/info/headers, /cache-info/headers, /admin-info/headers, /distribution-broker-info/headers. Gradle Enterprise Build Cache Node affected application request paths:/cache-node-info/headers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T21:00:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15768"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15768",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS vulnerability. This potentially allows an attacker to impersonate another user. Gradle Enterprise affected application request paths:/info/headers, /cache-info/headers, /admin-info/headers, /distribution-broker-info/headers. Gradle Enterprise Build Cache Node affected application request paths:/cache-node-info/headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15768",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15768"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15768",
"datePublished": "2020-09-18T13:12:34",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15773 (GCVE-0-2020-15773)
Vulnerability from cvelistv5
Published
2020-09-18 14:04
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker can access data as a user (for the duration of the browser session) after previously explicitly authenticating with the API.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15773 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.860Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15773"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker can access data as a user (for the duration of the browser session) after previously explicitly authenticating with the API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T14:04:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15773"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker can access data as a user (for the duration of the browser session) after previously explicitly authenticating with the API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15773",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15773"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15773",
"datePublished": "2020-09-18T14:04:29",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15767 (GCVE-0-2020-15767)
Vulnerability from cvelistv5
Published
2020-09-18 13:44
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15767 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.867Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15767"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the \u201csecure\u201d attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T21:14:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15767"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15767",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the \u201csecure\u201d attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15767",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15767"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15767",
"datePublished": "2020-09-18T13:44:06",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49238 (GCVE-0-2023-49238)
Vulnerability from cvelistv5
Published
2024-01-09 00:00
Modified
2025-06-17 15:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in before the legitimate administrator logs in.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:53:45.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gradle.com/advisory/2023-01"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240216-0003/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-49238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T16:05:53.954844Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-521",
"description": "CWE-521 Weak Password Requirements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T15:26:49.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in before the legitimate administrator logs in."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-16T13:05:59.196Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.gradle.com"
},
{
"url": "https://security.gradle.com/advisory/2023-01"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240216-0003/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49238",
"datePublished": "2024-01-09T00:00:00.000Z",
"dateReserved": "2023-11-24T00:00:00.000Z",
"dateUpdated": "2025-06-17T15:26:49.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15771 (GCVE-0-2020-15771)
Vulnerability from cvelistv5
Published
2020-09-18 13:22
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15771 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15771"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T21:08:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15771"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15771",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15771",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15771"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15771",
"datePublished": "2020-09-18T13:22:46",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15776 (GCVE-0-2020-15776)
Vulnerability from cvelistv5
Published
2020-09-18 13:16
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15776 | x_refsource_CONFIRM | |
| https://cwe.mitre.org/data/definitions/1004.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15776"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cwe.mitre.org/data/definitions/1004.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user\u0027s browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-10T20:16:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15776"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cwe.mitre.org/data/definitions/1004.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15776",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user\u0027s browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15776",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15776"
},
{
"name": "https://cwe.mitre.org/data/definitions/1004.html",
"refsource": "MISC",
"url": "https://cwe.mitre.org/data/definitions/1004.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15776",
"datePublished": "2020-09-18T13:16:05",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27919 (GCVE-0-2022-27919)
Vulnerability from cvelistv5
Published
2022-03-25 19:55
Modified
2024-08-03 05:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.gradle.com/advisory/2022-05 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:41:11.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/2022-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-25T19:55:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com/advisory/2022-05"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-27919",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.gradle.com/advisory/2022-05",
"refsource": "MISC",
"url": "https://security.gradle.com/advisory/2022-05"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-27919",
"datePublished": "2022-03-25T19:55:17",
"dateReserved": "2022-03-25T00:00:00",
"dateUpdated": "2024-08-03T05:41:11.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11402 (GCVE-0-2019-11402)
Vulnerability from cvelistv5
Published
2019-04-21 16:06
Modified
2024-08-04 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gradle.com/enterprise/releases/2018.5/#changes-3 | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2019-11402 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:39.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2019-11402"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T13:58:27",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2019-11402"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11402",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gradle.com/enterprise/releases/2018.5/#changes-3",
"refsource": "MISC",
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-3"
},
{
"name": "https://security.gradle.com/advisory/CVE-2019-11402",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2019-11402"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11402",
"datePublished": "2019-04-21T16:06:16",
"dateReserved": "2019-04-21T00:00:00",
"dateUpdated": "2024-08-04T22:55:39.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15775 (GCVE-0-2020-15775)
Vulnerability from cvelistv5
Published
2020-09-18 13:18
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. The /usage page of Gradle Enterprise conveys high level build information such as project names and build counts over time. This page is incorrectly viewable anonymously.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15775 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15775"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. The /usage page of Gradle Enterprise conveys high level build information such as project names and build counts over time. This page is incorrectly viewable anonymously."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T21:05:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15775"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15775",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. The /usage page of Gradle Enterprise conveys high level build information such as project names and build counts over time. This page is incorrectly viewable anonymously."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15775",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15775"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15775",
"datePublished": "2020-09-18T13:18:44",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41619 (GCVE-0-2021-41619)
Vulnerability from cvelistv5
Published
2021-10-27 13:24
Modified
2024-08-04 03:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.gradle.com | x_refsource_MISC | |
| https://security.gradle.com/advisory/2021-08 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:15:29.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/2021-08"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-27T13:24:37",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com/advisory/2021-08"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41619",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.gradle.com",
"refsource": "MISC",
"url": "https://security.gradle.com"
},
{
"name": "https://security.gradle.com/advisory/2021-08",
"refsource": "MISC",
"url": "https://security.gradle.com/advisory/2021-08"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41619",
"datePublished": "2021-10-27T13:24:37",
"dateReserved": "2021-09-27T00:00:00",
"dateUpdated": "2024-08-04T03:15:29.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15769 (GCVE-0-2020-15769)
Vulnerability from cvelistv5
Published
2020-09-18 13:10
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15769 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.672Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15769"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T13:10:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15769"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15769",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15769",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15769"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15769",
"datePublished": "2020-09-18T13:10:06",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.672Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41589 (GCVE-0-2021-41589)
Vulnerability from cvelistv5
Published
2021-10-27 13:31
Modified
2024-08-04 03:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user interface and anonymous write access to the build cache. If access control to the build cache is not changed from the default open configuration, a malicious actor with network access can populate the cache with manipulated entries that may execute malicious code as part of a build process. This applies to the build cache provided with Gradle Enterprise and the separate build cache node service if used. If access control to the user interface is not changed from the default open configuration, a malicious actor can undo build cache access control in order to populate the cache with manipulated entries that may execute malicious code as part of a build process. This does not apply to the build cache provided with Gradle Enterprise, but does apply to the separate build cache node service if used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.gradle.com | x_refsource_MISC | |
| https://security.gradle.com/advisory/2021-06 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:15:28.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/2021-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user interface and anonymous write access to the build cache. If access control to the build cache is not changed from the default open configuration, a malicious actor with network access can populate the cache with manipulated entries that may execute malicious code as part of a build process. This applies to the build cache provided with Gradle Enterprise and the separate build cache node service if used. If access control to the user interface is not changed from the default open configuration, a malicious actor can undo build cache access control in order to populate the cache with manipulated entries that may execute malicious code as part of a build process. This does not apply to the build cache provided with Gradle Enterprise, but does apply to the separate build cache node service if used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-27T13:31:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com/advisory/2021-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41589",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user interface and anonymous write access to the build cache. If access control to the build cache is not changed from the default open configuration, a malicious actor with network access can populate the cache with manipulated entries that may execute malicious code as part of a build process. This applies to the build cache provided with Gradle Enterprise and the separate build cache node service if used. If access control to the user interface is not changed from the default open configuration, a malicious actor can undo build cache access control in order to populate the cache with manipulated entries that may execute malicious code as part of a build process. This does not apply to the build cache provided with Gradle Enterprise, but does apply to the separate build cache node service if used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.gradle.com",
"refsource": "MISC",
"url": "https://security.gradle.com"
},
{
"name": "https://security.gradle.com/advisory/2021-06",
"refsource": "MISC",
"url": "https://security.gradle.com/advisory/2021-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41589",
"datePublished": "2021-10-27T13:31:01",
"dateReserved": "2021-09-24T00:00:00",
"dateUpdated": "2024-08-04T03:15:28.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15772 (GCVE-0-2020-15772)
Vulnerability from cvelistv5
Published
2020-09-18 13:21
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15772 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15772"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T21:11:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15772"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15772",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15772",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15772"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15772",
"datePublished": "2020-09-18T13:21:50",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41575 (GCVE-0-2022-41575)
Vulnerability from cvelistv5
Published
2022-10-21 00:00
Modified
2025-05-07 14:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:42.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gradle.com/advisory/2022-13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-41575",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T14:35:24.917773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T14:36:04.492Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-21T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.gradle.com"
},
{
"url": "https://security.gradle.com/advisory/2022-13"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-41575",
"datePublished": "2022-10-21T00:00:00.000Z",
"dateReserved": "2022-09-27T00:00:00.000Z",
"dateUpdated": "2025-05-07T14:36:04.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15770 (GCVE-0-2020-15770)
Vulnerability from cvelistv5
Published
2020-09-18 13:23
Modified
2024-08-04 13:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user's password, due to lack of lock-out after excessive failed logins.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/gradle/gradle/security/advisories | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2020-15770 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:30.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15770"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user\u0027s password, due to lack of lock-out after excessive failed logins."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-09T21:13:23",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15770"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15770",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user\u0027s password, due to lack of lock-out after excessive failed logins."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"name": "https://security.gradle.com/advisory/CVE-2020-15770",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2020-15770"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15770",
"datePublished": "2020-09-18T13:23:59",
"dateReserved": "2020-07-15T00:00:00",
"dateUpdated": "2024-08-04T13:22:30.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-46881 (GCVE-0-2024-46881)
Vulnerability from cvelistv5
Published
2025-01-26 00:00
Modified
2025-01-27 16:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Summary
Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gradle | Enterprise |
Version: 2023.4 < 2024.1.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-46881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T16:56:12.972129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T16:56:26.914Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Enterprise",
"vendor": "Gradle",
"versions": [
{
"lessThan": "2024.1.8",
"status": "affected",
"version": "2023.4",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2024.1.8",
"versionStartIncluding": "2023.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-26T06:29:22.246Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.gradle.com/advisory/2024-03"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-46881",
"datePublished": "2025-01-26T00:00:00.000Z",
"dateReserved": "2024-09-12T00:00:00.000Z",
"dateUpdated": "2025-01-27T16:56:26.914Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24858 (GCVE-0-2025-24858)
Vulnerability from cvelistv5
Published
2025-01-26 00:00
Modified
2025-02-12 20:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Summary
Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed password of the system user. The hash algorithm used by Develocity was chosen according to best practices for password storage and provides some protection against brute-force attempts. The applicable severity of this vulnerability depends on whether a Develocity server is accessible by external or unauthorized users, and the complexity of the System User password.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Gradle | Enterprise |
Version: 2020.4 < 2024.1.9 Version: 2024.2 < 2024.2.7 Version: 2024.3 < 2024.3.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24858",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T14:05:18.040589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:01:14.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Enterprise",
"vendor": "Gradle",
"versions": [
{
"lessThan": "2024.1.9",
"status": "affected",
"version": "2020.4",
"versionType": "custom"
},
{
"lessThan": "2024.2.7",
"status": "affected",
"version": "2024.2",
"versionType": "custom"
},
{
"lessThan": "2024.3.1",
"status": "affected",
"version": "2024.3",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2024.1.9",
"versionStartIncluding": "2020.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2024.2.7",
"versionStartIncluding": "2024.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2024.3.1",
"versionStartIncluding": "2024.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed password of the system user. The hash algorithm used by Develocity was chosen according to best practices for password storage and provides some protection against brute-force attempts. The applicable severity of this vulnerability depends on whether a Develocity server is accessible by external or unauthorized users, and the complexity of the System User password."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-26T06:12:51.717Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.gradle.com/advisory/2025-01"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-24858",
"datePublished": "2025-01-26T00:00:00.000Z",
"dateReserved": "2025-01-26T00:00:00.000Z",
"dateUpdated": "2025-02-12T20:01:14.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25364 (GCVE-0-2022-25364)
Vulnerability from cvelistv5
Published
2022-03-17 16:24
Modified
2024-08-03 04:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.gradle.com | x_refsource_MISC | |
| https://security.gradle.com/advisory/2022-02 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:36:06.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/2022-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-17T16:24:15",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com/advisory/2022-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-25364",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.gradle.com",
"refsource": "MISC",
"url": "https://security.gradle.com"
},
{
"name": "https://security.gradle.com/advisory/2022-02",
"refsource": "MISC",
"url": "https://security.gradle.com/advisory/2022-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-25364",
"datePublished": "2022-03-17T16:24:15",
"dateReserved": "2022-02-18T00:00:00",
"dateUpdated": "2024-08-03T04:36:06.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41574 (GCVE-0-2022-41574)
Vulnerability from cvelistv5
Published
2022-10-07 00:00
Modified
2024-08-03 12:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:42.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://security.gradle.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gradle.com/advisory/2022-12"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-07T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://security.gradle.com"
},
{
"url": "https://security.gradle.com/advisory/2022-12"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-41574",
"datePublished": "2022-10-07T00:00:00",
"dateReserved": "2022-09-27T00:00:00",
"dateUpdated": "2024-08-03T12:49:42.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11403 (GCVE-0-2019-11403)
Vulnerability from cvelistv5
Published
2019-04-21 16:06
Modified
2024-08-04 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://gradle.com/enterprise/releases/2018.5/#changes-2 | x_refsource_MISC | |
| https://security.gradle.com/advisory/CVE-2019-11403 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:39.647Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/CVE-2019-11403"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-18T13:56:43",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.gradle.com/advisory/CVE-2019-11403"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11403",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gradle.com/enterprise/releases/2018.5/#changes-2",
"refsource": "MISC",
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-2"
},
{
"name": "https://security.gradle.com/advisory/CVE-2019-11403",
"refsource": "CONFIRM",
"url": "https://security.gradle.com/advisory/CVE-2019-11403"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11403",
"datePublished": "2019-04-21T16:06:30",
"dateReserved": "2019-04-21T00:00:00",
"dateUpdated": "2024-08-04T22:55:39.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27225 (GCVE-0-2022-27225)
Vulnerability from cvelistv5
Published
2022-03-16 00:10
Modified
2024-08-03 05:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.gradle.com/advisory/2022-03 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:25:32.271Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.gradle.com/advisory/2022-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-16T00:10:18",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.gradle.com/advisory/2022-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-27225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.gradle.com/advisory/2022-03",
"refsource": "MISC",
"url": "https://security.gradle.com/advisory/2022-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-27225",
"datePublished": "2022-03-16T00:10:18",
"dateReserved": "2022-03-16T00:00:00",
"dateUpdated": "2024-08-03T05:25:32.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2020-09-18 14:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15769 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15769 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "18FC73CF-3662-4127-A732-B23B506CFC74",
"versionEndIncluding": "2020.2.4",
"versionStartIncluding": "2020.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Gradle Enterprise versiones 2020.2 - 2020.2.4.\u0026#xa0;Se presenta un problema de tipo XSS por medio de una URL de petici\u00f3n"
}
],
"id": "CVE-2020-15769",
"lastModified": "2024-11-21T05:06:08.093",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T14:15:12.200",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15769"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15769"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-16 01:15
Modified
2024-11-21 06:55
Severity ?
Summary
Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://security.gradle.com/advisory/2022-03 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/2022-03 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77F366CE-8A0B-474A-8E4D-BC8955D57994",
"versionEndExcluding": "2021.4.3",
"versionStartIncluding": "2020.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS."
},
{
"lang": "es",
"value": "Gradle Enterprise versiones anteriores a 2021.4.3, es basado en la transmisi\u00f3n de datos en texto sin cifrar en algunas situaciones. Usa Keycloak para los servicios de administraci\u00f3n de la identidad. Durante el proceso de inicio de sesi\u00f3n, Keycloak establece cookies del navegador que proporcionan efectivamente la funcionalidad \"remember-me\". Para la compatibilidad con versiones anteriores de Safari, Keycloak establece un duplicado de la cookie sin el atributo Secure, lo que permite que la cookie sea enviada cuando es accedida a la ubicaci\u00f3n para la que sea establecida la cookie por medio de HTTP. Esto crea la posibilidad de que un atacante (con la capacidad de hacerse pasar por el host de Gradle Enterprise) capture la sesi\u00f3n de inicio de sesi\u00f3n de un usuario haciendo que haga clic en un enlace http:// al servidor, a pesar de que el servidor real requiere HTTPS"
}
],
"id": "CVE-2022-27225",
"lastModified": "2024-11-21T06:55:26.773",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-16T01:15:08.047",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-03"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-311"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-25 20:15
Modified
2024-11-21 06:56
Severity ?
Summary
Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://security.gradle.com/advisory/2022-05 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/2022-05 | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56D19479-DD9D-44DE-9129-492BDB007BF1",
"versionEndIncluding": "2021.4.3",
"versionStartIncluding": "2020.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API."
},
{
"lang": "es",
"value": "Gradle Enterprise versiones anteriores a 2022.1, permite una ejecuci\u00f3n de c\u00f3digo remota si el proceso de instalaci\u00f3n no especific\u00f3 un archivo de configuraci\u00f3n inicial. La configuraci\u00f3n permite determinados accesos an\u00f3nimos a la administraci\u00f3n y a una API"
}
],
"id": "CVE-2022-27919",
"lastModified": "2024-11-21T06:56:28.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-25T20:15:09.270",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-05"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-09 02:15
Modified
2025-06-17 16:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in before the legitimate administrator logs in.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "178FB462-CD29-4999-96A5-C47BFEF71C7A",
"versionEndExcluding": "2023.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in before the legitimate administrator logs in."
},
{
"lang": "es",
"value": "En Gradle Enterprise anterior a 2023.1, un atacante remoto podr\u00eda obtener acceso a una nueva instalaci\u00f3n (en ciertos escenarios de instalaci\u00f3n) debido a una contrase\u00f1a de usuario inicial del sistema no \u00fanica. Aunque esta contrase\u00f1a debe cambiarse en el primer inicio de sesi\u00f3n, es posible que un atacante inicie sesi\u00f3n antes que el administrador leg\u00edtimo."
}
],
"id": "CVE-2023-49238",
"lastModified": "2025-06-17T16:15:25.137",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-01-09T02:15:44.837",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2023-01"
},
{
"source": "cve@mitre.org",
"url": "https://security.netapp.com/advisory/ntap-20240216-0003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2023-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240216-0003/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-521"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-521"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-27 14:15
Modified
2024-11-21 06:26
Severity ?
Summary
An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://security.gradle.com | Vendor Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/2021-08 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/2021-08 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A6CD7747-C2DF-4181-8F50-FDE6B5FC3F6C",
"versionEndExcluding": "2021.1.2",
"versionStartIncluding": "2020.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application."
},
{
"lang": "es",
"value": "Se ha detectado un problema en Gradle Enterprise versiones anteriores a 2021.1.2. Se presenta una potencial ejecuci\u00f3n de c\u00f3digo remota por medio de la configuraci\u00f3n de inicio de la aplicaci\u00f3n. La interfaz de usuario de configuraci\u00f3n de la instalaci\u00f3n (disponible para los administradores) permite especificar opciones de inicio de la m\u00e1quina virtual Java arbitrarias. Algunas de estas opciones, como -XX:OnOutOfMemoryError, permiten especificar un comando a ejecutar en el host. Esto puede ser abusado para ejecutar comandos arbitrarios en el host, si un atacante consigue acceso administrativo a la aplicaci\u00f3n"
}
],
"id": "CVE-2021-41619",
"lastModified": "2024-11-21T06:26:32.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-27T14:15:07.610",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2021-08"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2021-08"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-18 14:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15772 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15772 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09283EF9-03F6-4D99-A939-C475E7D71B95",
"versionEndIncluding": "2020.2.4",
"versionStartIncluding": "2018.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Gradle Enterprise versiones 2018.5 - 2020.2.4. Al configurar Gradle Enterprise para integrarse con un proveedor de identidad SAML, un archivo de metadatos XML puede ser cargado por un administrador. El procesamiento de este archivo en el lado del servidor elimina las entidades externas XML (XXE), lo que permite a un atacante remoto con acceso administrativo realizar la falsificaci\u00f3n de solicitudes en el lado del servidor"
}
],
"id": "CVE-2020-15772",
"lastModified": "2024-11-21T05:06:08.540",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T14:15:12.387",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15772"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15772"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-07 21:15
Modified
2024-11-21 07:23
Severity ?
Summary
An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://security.gradle.com | Vendor Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/2022-12 | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/2022-12 | Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "594365A3-0718-4F36-9D9A-B379E1B0A0AD",
"versionEndExcluding": "2022.3.2",
"versionStartIncluding": "2020.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2."
},
{
"lang": "es",
"value": "Una vulnerabilidad de control de acceso en Gradle Enterprise versiones 2022.4 hasta 2022.3.1 permite a atacantes remotos evitar que sean realizadas copias de seguridad y enviar correos electr\u00f3nicos con contenido de texto arbitrario a la direcci\u00f3n de contacto del administrador de la instalaci\u00f3n configurada, por medio de acceso HTTP a un endpoint interno expuesto accidentalmente. Esto ha sido corregido en versi\u00f3n 2022.3.2"
}
],
"id": "CVE-2022-41574",
"lastModified": "2024-11-21T07:23:25.140",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-07T21:15:12.090",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-12"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-18 14:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15771 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15771 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | 2018.2 | |
| gradle | enterprise_cache_node | 4.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:2018.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D7BF5EA0-858E-4838-A761-0C0F282ADC08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gradle:enterprise_cache_node:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A34D3206-BD19-43E4-B9AC-35F0935DCBD5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Gradle Enterprise versiones 2018.2 y en Gradle Enterprise Build Cache Node versi\u00f3n 4.1. La transmisi\u00f3n cruzada de una cookie que contiene un token CSRF permite al atacante remoto evitar la mitigaci\u00f3n de CSRF"
}
],
"id": "CVE-2020-15771",
"lastModified": "2024-11-21T05:06:08.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T14:15:12.307",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15771"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15771"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-311"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-22 11:29
Modified
2024-11-21 04:21
Severity ?
Summary
In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://gradle.com/enterprise/releases/2018.5/#changes-2 | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2019-11403 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gradle.com/enterprise/releases/2018.5/#changes-2 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2019-11403 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | build_cache_node | * | |
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:build_cache_node:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99FCDCA2-5255-44B5-83D3-4D1B345CBD15",
"versionEndExcluding": "5.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8861CBCD-B19D-4784-8F0E-4F15E4D70D97",
"versionEndExcluding": "2018.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page."
},
{
"lang": "es",
"value": "En Gradle Enterprise versiones anteriores a 2018.5.2, Build Cache Nodes reflejar\u00eda la contrase\u00f1a configurada al ver el c\u00f3digo fuente HTML de la p\u00e1gina de configuraci\u00f3n."
}
],
"id": "CVE-2019-11403",
"lastModified": "2024-11-21T04:21:02.487",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-22T11:29:04.503",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2019-11403"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2019-11403"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-27 14:15
Modified
2024-11-21 06:26
Severity ?
Summary
In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be used to identify the listening TCP ports available to the server, revealing information about the internal network environment.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://security.gradle.com | Vendor Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/2021-07 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/2021-07 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8444169-8B88-425E-84A9-3661242130EA",
"versionEndExcluding": "2021.3",
"versionStartIncluding": "2020.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be used to identify the listening TCP ports available to the server, revealing information about the internal network environment."
},
{
"lang": "es",
"value": "En Gradle Enterprise versiones hasta 2021.3, el sondeo del entorno de red del lado del servidor puede ocurrir por medio de una prueba de configuraci\u00f3n SMTP. La interfaz de usuario de configuraci\u00f3n de la instalaci\u00f3n disponible para los administradores permite probar la configuraci\u00f3n del servidor SMTP. Esta funci\u00f3n de prueba puede ser usada para identificar los puertos TCP de escucha disponibles para el servidor, revelando informaci\u00f3n sobre el entorno de red interno"
}
],
"id": "CVE-2021-41590",
"lastModified": "2024-11-21T06:26:29.177",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-27T14:15:07.567",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2021-07"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2021-07"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-18 14:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS vulnerability. This potentially allows an attacker to impersonate another user. Gradle Enterprise affected application request paths:/info/headers, /cache-info/headers, /admin-info/headers, /distribution-broker-info/headers. Gradle Enterprise Build Cache Node affected application request paths:/cache-node-info/headers.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15768 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15768 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * | |
| gradle | enterprise_cache_node | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D718101-D294-4B1B-B585-689AEDAA3F83",
"versionEndIncluding": "2020.2.4",
"versionStartIncluding": "2017.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gradle:enterprise_cache_node:*:*:*:*:*:*:*:*",
"matchCriteriaId": "14281DCA-5B24-440D-80FE-AFA49B1AF9F8",
"versionEndIncluding": "9.2",
"versionStartIncluding": "1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS vulnerability. This potentially allows an attacker to impersonate another user. Gradle Enterprise affected application request paths:/info/headers, /cache-info/headers, /admin-info/headers, /distribution-broker-info/headers. Gradle Enterprise Build Cache Node affected application request paths:/cache-node-info/headers."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Gradle Enterprise versiones 2017.3 - 2020.2.4 y Gradle Enterprise Build Cache Node 1.0 - 9.2. El reflejo de la cabecera HTTP sin restricciones en Gradle Enterprise permite a los atacantes remotos obtener cookies de autenticaci\u00f3n, si son capaces de descubrir una vulnerabilidad XSS por separado. Esto permite potencialmente a un atacante hacerse pasar por otro usuario. Las rutas de solicitud de aplicaciones afectadas por Gradle Enterprise son: /info/cabezas, /cache-info/cabezas, /admin-info/cabezas, /distribution-broker-info/cabezas. Gradle Enterprise Build Cache Node afectado rutas de solicitud de aplicaciones:/cache-node-info/cabeceras"
}
],
"id": "CVE-2020-15768",
"lastModified": "2024-11-21T05:06:07.943",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T14:15:12.137",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15768"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15768"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-18 14:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cwe.mitre.org/data/definitions/1004.html | Third Party Advisory | |
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15776 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cwe.mitre.org/data/definitions/1004.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15776 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "123E2E12-8C26-48AF-92B5-9D48B65D1F93",
"versionEndIncluding": "2020.2.4",
"versionStartIncluding": "2018.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user\u0027s browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery."
},
{
"lang": "es",
"value": "Se detecto un problema en el Gradle Enterprise versiones 2018.2 - 2020.2.4. El token de prevenci\u00f3n del CSRF se almacena en una cookie de petici\u00f3n que no est\u00e1 anotada como HttpOnly. Un atacante con la capacidad de ejecutar un c\u00f3digo arbitrario en el navegador de un usuario podr\u00eda imponer un valor arbitrario para este token, permiti\u00e9ndole realizar una falsificaci\u00f3n de solicitud en varios sitios"
}
],
"id": "CVE-2020-15776",
"lastModified": "2024-11-21T05:06:09.103",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T14:15:12.557",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://cwe.mitre.org/data/definitions/1004.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15776"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cwe.mitre.org/data/definitions/1004.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15776"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-27 14:15
Modified
2024-11-21 06:26
Severity ?
Summary
In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user interface and anonymous write access to the build cache. If access control to the build cache is not changed from the default open configuration, a malicious actor with network access can populate the cache with manipulated entries that may execute malicious code as part of a build process. This applies to the build cache provided with Gradle Enterprise and the separate build cache node service if used. If access control to the user interface is not changed from the default open configuration, a malicious actor can undo build cache access control in order to populate the cache with manipulated entries that may execute malicious code as part of a build process. This does not apply to the build cache provided with Gradle Enterprise, but does apply to the separate build cache node service if used.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://security.gradle.com | Vendor Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/2021-06 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/2021-06 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | build_cache_node | * | |
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:build_cache_node:*:*:*:*:*:*:*:*",
"matchCriteriaId": "568F1F21-EF4F-4120-9FB9-B7F6302D5B7F",
"versionEndExcluding": "10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "33782990-15FC-4A1E-8E40-5ECF5AB9E9B7",
"versionEndExcluding": "2021.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user interface and anonymous write access to the build cache. If access control to the build cache is not changed from the default open configuration, a malicious actor with network access can populate the cache with manipulated entries that may execute malicious code as part of a build process. This applies to the build cache provided with Gradle Enterprise and the separate build cache node service if used. If access control to the user interface is not changed from the default open configuration, a malicious actor can undo build cache access control in order to populate the cache with manipulated entries that may execute malicious code as part of a build process. This does not apply to the build cache provided with Gradle Enterprise, but does apply to the separate build cache node service if used."
},
{
"lang": "es",
"value": "En Gradle Enterprise versiones anteriores a 2021.3 (y Enterprise Build Cache Node versiones anteriores a 10.0), se presenta un potencial envenenamiento de la cach\u00e9 y ejecuci\u00f3n remota de c\u00f3digo cuando se ejecuta el nodo de cach\u00e9 de construcci\u00f3n con su configuraci\u00f3n por defecto. Esta configuraci\u00f3n permite un acceso an\u00f3nimo a la interfaz de usuario de configuraci\u00f3n y el acceso de escritura an\u00f3nimo a la cach\u00e9 de construcci\u00f3n. Si el control de acceso a la cach\u00e9 de construcci\u00f3n no es cambiado de la configuraci\u00f3n abierta por defecto, un actor malicioso con acceso a la red puede llenar la cach\u00e9 con entradas manipuladas que pueden ejecutar c\u00f3digo malicioso como parte de un proceso de construcci\u00f3n. Esto es aplicado a la cach\u00e9 de compilaci\u00f3n proporcionada con Gradle Enterprise y al servicio de nodo de cach\u00e9 de compilaci\u00f3n separado, si es usado. Si el control de acceso a la interfaz de usuario no es cambiado de la configuraci\u00f3n abierta por defecto, un actor malicioso puede deshacer el control de acceso a la cach\u00e9 de compilaci\u00f3n para llenar la cach\u00e9 con entradas manipuladas que pueden ejecutar c\u00f3digo malicioso como parte de un proceso de compilaci\u00f3n. Esto no es aplicado a la cach\u00e9 de construcci\u00f3n proporcionada con Gradle Enterprise, pero es aplicado al servicio de nodo de cach\u00e9 de construcci\u00f3n independiente si es usado"
}
],
"id": "CVE-2021-41589",
"lastModified": "2024-11-21T06:26:29.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-27T14:15:07.523",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2021-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2021-06"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-732"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-21 12:15
Modified
2025-05-07 15:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://security.gradle.com | Vendor Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/2022-13 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/2022-13 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A471455F-B6E6-4866-BEFD-69D2F6B0F5F5",
"versionEndExcluding": "2022.3.3",
"versionStartIncluding": "2022.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3."
},
{
"lang": "es",
"value": "Una vulnerabilidad de exposici\u00f3n de credenciales en el mecanismo de support-bundle en Gradle Enterprise versiones 2022.3 hasta 2022.3.3, permite a atacantes remotos acceder a un subconjunto de datos de la aplicaci\u00f3n (por ejemplo, credenciales en texto sin cifrar). Esto ha sido corregido en versi\u00f3n 2022.3.3"
}
],
"id": "CVE-2022-41575",
"lastModified": "2025-05-07T15:15:55.533",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-10-21T12:15:11.820",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-13"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-18 14:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user's password, due to lack of lock-out after excessive failed logins.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15770 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15770 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | 2018.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:2018.5:*:*:*:*:*:*:*",
"matchCriteriaId": "44378AD0-AF1D-4297-8506-E9F02C865B68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user\u0027s password, due to lack of lock-out after excessive failed logins."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Gradle Enterprise versi\u00f3n 2018.5. Un atacante puede hacer repetidos intentos de adivinar la contrase\u00f1a de un usuario local, debido a la falta de bloqueo despu\u00e9s de excesivos inicios de sesi\u00f3n fallidos"
}
],
"id": "CVE-2020-15770",
"lastModified": "2024-11-21T05:06:08.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T14:15:12.260",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15770"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15770"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-22 11:29
Modified
2024-11-21 04:21
Severity ?
Summary
In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://gradle.com/enterprise/releases/2018.5/#changes-3 | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2019-11402 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gradle.com/enterprise/releases/2018.5/#changes-3 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2019-11402 | Broken Link |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A1CC2BFC-140E-4152-BA54-AADF21C7D6AA",
"versionEndExcluding": "2018.5.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format."
},
{
"lang": "es",
"value": "En Gradle Enterprise versiones anteriores a 2018.5.3, Build Cache Nodes no almacenaba las credenciales en un formato cifrado."
}
],
"id": "CVE-2019-11402",
"lastModified": "2024-11-21T04:21:02.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-22T11:29:04.393",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-3"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://security.gradle.com/advisory/CVE-2019-11402"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://gradle.com/enterprise/releases/2018.5/#changes-3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://security.gradle.com/advisory/CVE-2019-11402"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-18 15:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker can access data as a user (for the duration of the browser session) after previously explicitly authenticating with the API.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15773 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15773 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "98869093-FBBA-4D96-BF88-B61F96FEF820",
"versionEndExcluding": "2020.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker can access data as a user (for the duration of the browser session) after previously explicitly authenticating with the API."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Gradle Enterprise versiones anteriores a 2020.2.4.\u0026#xa0;Debido a unas peticiones de origen cruzado no restringidas para datos de solo lectura en la API Export, un atacante puede acceder a los datos como un usuario (durante la duraci\u00f3n de la sesi\u00f3n del navegador) despu\u00e9s de autenticarse previamente expl\u00edcitamente con la API"
}
],
"id": "CVE-2020-15773",
"lastModified": "2024-11-21T05:06:08.680",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T15:15:13.420",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15773"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15773"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-18 14:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15767 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15767 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD367EF2-3F92-43C8-A18F-BE0F679521AF",
"versionEndExcluding": "2020.2.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the \u201csecure\u201d attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Gradle Enterprise versiones anteriores a 2020.2.5. La cookie utilizada para transmitir el token de prevenci\u00f3n del CSRF no est\u00e1 anotada con el atributo \"seguro\", lo que permite a un atacante con capacidad de MITM peticiones HTTP simples obtenerlo, si el usuario utiliza por error una direcci\u00f3n HTTP en lugar de HTTPS para acceder al servidor. Este valor de la cookie podr\u00eda entonces ser utilizado para realizar CSRF"
}
],
"id": "CVE-2020-15767",
"lastModified": "2024-11-21T05:06:07.797",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T14:15:12.073",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15767"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15767"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-311"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-17 17:15
Modified
2024-11-21 06:52
Severity ?
Summary
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://security.gradle.com | Vendor Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/2022-02 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/2022-02 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E24345EF-8922-477E-8407-1318B556D67C",
"versionEndExcluding": "2021.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)"
},
{
"lang": "es",
"value": "En Gradle Enterprise versiones anteriores a 2021.4.2, la configuraci\u00f3n por defecto de la cach\u00e9 de construcci\u00f3n incorporada permit\u00eda el acceso an\u00f3nimo de escritura. Si esto no es cambiado manualmente, un actor malicioso con acceso a la red a la cach\u00e9 de compilaci\u00f3n podr\u00eda rellenarla con entradas manipuladas que ejecutaran c\u00f3digo malicioso como parte de una compilaci\u00f3n. A partir de la versi\u00f3n 2021.4.2, la cach\u00e9 de compilaci\u00f3n incorporada es inaccesible por defecto, por lo que es necesario configurar expl\u00edcitamente sus par\u00e1metros de control de acceso antes de poder usarla. (Los nodos remotos de la cach\u00e9 de compilaci\u00f3n no est\u00e1n afectados, ya que son inaccesibles por defecto)"
}
],
"id": "CVE-2022-25364",
"lastModified": "2024-11-21T06:52:04.947",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-17T17:15:07.550",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/2022-02"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-18 14:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15774 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15774 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "09283EF9-03F6-4D99-A939-C475E7D71B95",
"versionEndIncluding": "2020.2.4",
"versionStartIncluding": "2018.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Gradle Enterprise versiones 2018.5 - 2020.2.4. Un atacante con acceso f\u00edsico al navegador de un usuario que se ha conectado recientemente a Gradle Enterprise y que desde entonces ha cerrado su navegador podr\u00eda reabrirlo para acceder a Gradle Enterprise como ese usuario"
}
],
"id": "CVE-2020-15774",
"lastModified": "2024-11-21T05:06:08.817",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T14:15:12.450",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15774"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15774"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-18 14:15
Modified
2024-11-21 05:06
Severity ?
Summary
An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. The /usage page of Gradle Enterprise conveys high level build information such as project names and build counts over time. This page is incorrectly viewable anonymously.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| cve@mitre.org | https://security.gradle.com/advisory/CVE-2020-15775 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gradle/gradle/security/advisories | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gradle.com/advisory/CVE-2020-15775 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gradle | enterprise | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DA21129-2607-489F-AED4-685F02499CC8",
"versionEndIncluding": "2020.2.4",
"versionStartIncluding": "2017.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. The /usage page of Gradle Enterprise conveys high level build information such as project names and build counts over time. This page is incorrectly viewable anonymously."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Gradle Enterprise versiones 2017.1 - 2020.2.4. La p\u00e1gina de uso de Gradle Enterprise transmite informaci\u00f3n de alto nivel como nombres de proyectos y recuentos de construcci\u00f3n a lo largo del tiempo. Esta p\u00e1gina se puede ver incorrectamente de forma an\u00f3nima"
}
],
"id": "CVE-2020-15775",
"lastModified": "2024-11-21T05:06:08.960",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-18T14:15:12.497",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15775"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gradle/gradle/security/advisories"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://security.gradle.com/advisory/CVE-2020-15775"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-922"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}