Moderate severityNVD Advisory· Published Mar 30, 2020· Updated Aug 4, 2024
CVE-2020-7599
CVE-2020-7599
Description
All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.gradle.publish:plugin-publish-pluginMaven | < 0.11.0 | 0.11.0 |
com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.pluginMaven | < 0.11.0 | 0.11.0 |
Affected products
3- com.gradle/plugin-publishdescription
- ghsa-coords2 versionspkg:maven/com.gradle.plugin-publish/com.gradle.plugin-publish.gradle.pluginpkg:maven/com.gradle.publish/plugin-publish-plugin
< 0.11.0+ 1 more
- (no CPE)range: < 0.11.0
- (no CPE)range: < 0.11.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-cv78-v957-jx34ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7599ghsaADVISORY
- blog.gradle.org/plugin-portal-updateghsax_refsource_MISCWEB
- plugins.gradle.org/plugin/com.gradle.plugin-publishghsaWEB
- snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.