Gradle Enterprise
by Gradle
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-27919 | Cri | 0.64 | 9.8 | 0.02 | Mar 25, 2022 | Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API. | ||
| CVE-2021-41589 | Cri | 0.64 | 9.8 | 0.02 | Oct 27, 2021 | In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user… | ||
| CVE-2022-25364 | Hig | 0.53 | 8.1 | 0.01 | Mar 17, 2022 | In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute… | ||
| CVE-2021-41588 | Hig | 0.53 | 8.1 | 0.01 | Sep 24, 2021 | In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys. | ||
| CVE-2022-41575 | Hig | 0.49 | 7.5 | 0.01 | Oct 21, 2022 | A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3. | ||
| CVE-2022-30587 | Hig | 0.49 | 7.5 | 0.01 | Jun 6, 2022 | Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure. | ||
| CVE-2021-41587 | Hig | 0.49 | 7.5 | 0.01 | Sep 24, 2021 | In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources. | ||
| CVE-2021-41586 | Hig | 0.49 | 7.5 | 0.01 | Sep 24, 2021 | In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password. | ||
| CVE-2021-41584 | Hig | 0.49 | 7.5 | 0.01 | Sep 24, 2021 | Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header. | ||
| CVE-2022-30586 | Hig | 0.47 | 7.2 | 0.01 | Jun 6, 2022 | Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution. | ||
| CVE-2021-41619 | Hig | 0.47 | 7.2 | 0.03 | Oct 27, 2021 | An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup… | ||
| CVE-2022-27225 | Med | 0.42 | 6.5 | 0.01 | Mar 16, 2022 | Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards… | ||
| CVE-2021-41590 | Med | 0.35 | 5.3 | 0.01 | Oct 27, 2021 | In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be… |
- risk 0.64cvss 9.8epss 0.02
Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.
- risk 0.64cvss 9.8epss 0.02
In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user…
- risk 0.53cvss 8.1epss 0.01
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute…
- risk 0.53cvss 8.1epss 0.01
In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys.
- risk 0.49cvss 7.5epss 0.01
A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3.
- risk 0.49cvss 7.5epss 0.01
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure.
- risk 0.49cvss 7.5epss 0.01
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources.
- risk 0.49cvss 7.5epss 0.01
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.
- risk 0.49cvss 7.5epss 0.01
Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.
- risk 0.47cvss 7.2epss 0.01
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution.
- risk 0.47cvss 7.2epss 0.03
An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup…
- risk 0.42cvss 6.5epss 0.01
Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards…
- risk 0.35cvss 5.3epss 0.01
In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be…