VYPR

Gradle Enterprise

by Gradle

CVEs (13)

  • CVE-2022-27919CriMar 25, 2022
    risk 0.64cvss 9.8epss 0.02

    Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.

  • CVE-2021-41589CriOct 27, 2021
    risk 0.64cvss 9.8epss 0.02

    In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user…

  • CVE-2022-25364HigMar 17, 2022
    risk 0.53cvss 8.1epss 0.01

    In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute…

  • CVE-2021-41588HigSep 24, 2021
    risk 0.53cvss 8.1epss 0.01

    In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys.

  • CVE-2022-41575HigOct 21, 2022
    risk 0.49cvss 7.5epss 0.01

    A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3.

  • CVE-2022-30587HigJun 6, 2022
    risk 0.49cvss 7.5epss 0.01

    Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure.

  • CVE-2021-41587HigSep 24, 2021
    risk 0.49cvss 7.5epss 0.01

    In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources.

  • CVE-2021-41586HigSep 24, 2021
    risk 0.49cvss 7.5epss 0.01

    In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.

  • CVE-2021-41584HigSep 24, 2021
    risk 0.49cvss 7.5epss 0.01

    Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.

  • CVE-2022-30586HigJun 6, 2022
    risk 0.47cvss 7.2epss 0.01

    Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution.

  • CVE-2021-41619HigOct 27, 2021
    risk 0.47cvss 7.2epss 0.03

    An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup…

  • CVE-2022-27225MedMar 16, 2022
    risk 0.42cvss 6.5epss 0.01

    Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards…

  • CVE-2021-41590MedOct 27, 2021
    risk 0.35cvss 5.3epss 0.01

    In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be…