VYPR
Moderate severityNVD Advisory· Published Mar 30, 2020· Updated Aug 4, 2024

CVE-2020-7599

CVE-2020-7599

Description

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.gradle.publish:plugin-publish-pluginMaven
< 0.11.00.11.0
com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.pluginMaven
< 0.11.00.11.0

Affected products

3

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.