Bitnami package
gradle
pkg:bitnami/gradle
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22865 | — | < 9.3.0 | 9.3.0 | Jan 16, 2026 | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered o | ||
| CVE-2026-22816 | — | < 9.3.0 | 9.3.0 | Jan 16, 2026 | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered o | ||
| CVE-2025-27148 | Hig | 8.8 | >= 8.12.0, < 8.12.1 | 8.12.1 | Feb 25, 2025 | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. This library initializ | |
| CVE-2023-42445 | — | < 7.6.3 | 7.6.3 | Oct 6, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfilt | ||
| CVE-2023-44387 | — | < 7.6.3 | 7.6.3 | Oct 5, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting fil | ||
| CVE-2023-35946 | — | < 7.6.2 | 7.6.2 | Jun 30, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle ca | ||
| CVE-2023-35947 | — | < 7.6.2 | 7.6.2 | Jun 30, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwrit | ||
| CVE-2023-26053 | — | >= 6.2.0, < 6.9.4 | 6.9.4 | Mar 2, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp | ||
| CVE-2022-31156 | — | >= 6.2.0, < 7.5.0 | 7.5.0 | Jul 14, 2022 | Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Grad | ||
| CVE-2022-30586 | — | < 1.3.1 | 1.3.1 | Jun 6, 2022 | Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution. | ||
| CVE-2022-23630 | — | >= 6.2.0, < 7.3.4 | 7.3.4 | Feb 10, 2022 | Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verifica | ||
| CVE-2021-41586 | — | >= 2020.4.0, < 2021.1.3 | 2021.1.3 | Sep 24, 2021 | In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password. | ||
| CVE-2021-41587 | — | >= 2017.6.0, < 2021.1.3 | 2021.1.3 | Sep 24, 2021 | In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources. | ||
| CVE-2021-41588 | — | >= 2017.2.0, < 2021.1.3 | 2021.1.3 | Sep 24, 2021 | In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys. | ||
| CVE-2021-41584 | — | >= 2020.4.0, < 2021.1.3 | 2021.1.3 | Sep 24, 2021 | Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header. | ||
| CVE-2021-32751 | — | < 7.2.0 | 7.2.0 | Jul 20, 2021 | Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user ru | ||
| CVE-2021-29427 | — | >= 5.1.0, < 7.0.0 | 7.0.0 | Apr 13, 2021 | In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specif | ||
| CVE-2021-29428 | — | < 7.0.0 | 7.0.0 | Apr 13, 2021 | In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly delet | ||
| CVE-2021-29429 | — | < 7.0.0 | 7.0.0 | Apr 12, 2021 | In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFacto | ||
| CVE-2020-11979 | — | < 6.8.0 | 6.8.0 | Oct 1, 2020 | As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively n |
- CVE-2026-22865Jan 16, 2026affected < 9.3.0fixed 9.3.0
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered o
- CVE-2026-22816Jan 16, 2026affected < 9.3.0fixed 9.3.0
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered o
- affected >= 8.12.0, < 8.12.1fixed 8.12.1
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. This library initializ
- CVE-2023-42445Oct 6, 2023affected < 7.6.3fixed 7.6.3
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfilt
- CVE-2023-44387Oct 5, 2023affected < 7.6.3fixed 7.6.3
Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting fil
- CVE-2023-35946Jun 30, 2023affected < 7.6.2fixed 7.6.2
Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle ca
- CVE-2023-35947Jun 30, 2023affected < 7.6.2fixed 7.6.2
Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwrit
- CVE-2023-26053Mar 2, 2023affected >= 6.2.0, < 6.9.4fixed 6.9.4
Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp
- CVE-2022-31156Jul 14, 2022affected >= 6.2.0, < 7.5.0fixed 7.5.0
Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Grad
- CVE-2022-30586Jun 6, 2022affected < 1.3.1fixed 1.3.1
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution.
- CVE-2022-23630Feb 10, 2022affected >= 6.2.0, < 7.3.4fixed 7.3.4
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verifica
- CVE-2021-41586Sep 24, 2021affected >= 2020.4.0, < 2021.1.3fixed 2021.1.3
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.
- CVE-2021-41587Sep 24, 2021affected >= 2017.6.0, < 2021.1.3fixed 2021.1.3
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources.
- CVE-2021-41588Sep 24, 2021affected >= 2017.2.0, < 2021.1.3fixed 2021.1.3
In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys.
- CVE-2021-41584Sep 24, 2021affected >= 2020.4.0, < 2021.1.3fixed 2021.1.3
Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.
- CVE-2021-32751Jul 20, 2021affected < 7.2.0fixed 7.2.0
Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user ru
- CVE-2021-29427Apr 13, 2021affected >= 5.1.0, < 7.0.0fixed 7.0.0
In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specif
- CVE-2021-29428Apr 13, 2021affected < 7.0.0fixed 7.0.0
In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly delet
- CVE-2021-29429Apr 12, 2021affected < 7.0.0fixed 7.0.0
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFacto
- CVE-2020-11979Oct 1, 2020affected < 6.8.0fixed 6.8.0
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively n