Gradle
by Gradle
Source repositories
CVEs (39)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-6199 | Cri | 0.64 | 9.8 | 0.05 | Feb 7, 2017 | ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. | ||
| CVE-2025-27148 | Hig | 0.57 | 8.8 | 0.00 | Feb 25, 2025 | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. This library… | ||
| CVE-2026-22865 | 0.00 | — | 0.00 | Jan 16, 2026 | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered… | |||
| CVE-2026-22816 | 0.00 | — | 0.00 | Jan 16, 2026 | Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered… | |||
| CVE-2023-49238 | 0.00 | — | 0.01 | Jan 9, 2024 | In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an… | |||
| CVE-2023-42445 | 0.00 | — | 0.01 | Oct 6, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to… | |||
| CVE-2023-44387 | 0.00 | — | 0.00 | Oct 5, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting… | |||
| CVE-2023-35946 | 0.00 | — | 0.00 | Jun 30, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle… | |||
| CVE-2023-35947 | 0.00 | — | 0.00 | Jun 30, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being… | |||
| CVE-2023-26053 | 0.00 | — | 0.01 | Mar 2, 2023 | Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or… | |||
| CVE-2022-41575 | 0.00 | — | 0.01 | Oct 21, 2022 | A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3. | |||
| CVE-2022-31156 | 0.00 | — | 0.00 | Jul 14, 2022 | Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which… | |||
| CVE-2022-30586 | 0.00 | — | 0.01 | Jun 6, 2022 | Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution. | |||
| CVE-2022-27919 | 0.00 | — | 0.02 | Mar 25, 2022 | Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API. | |||
| CVE-2022-27225 | 0.00 | — | 0.01 | Mar 16, 2022 | Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards… | |||
| CVE-2022-23630 | 0.00 | — | 0.01 | Feb 10, 2022 | Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency… | |||
| CVE-2021-41589 | 0.00 | — | 0.02 | Oct 27, 2021 | In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user… | |||
| CVE-2021-41619 | 0.00 | — | 0.03 | Oct 27, 2021 | An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup… | |||
| CVE-2021-41590 | 0.00 | — | 0.01 | Oct 27, 2021 | In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be… | |||
| CVE-2021-41586 | 0.00 | — | 0.01 | Sep 24, 2021 | In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password. |
- risk 0.64cvss 9.8epss 0.05
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.
- risk 0.57cvss 8.8epss 0.00
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. This library…
- CVE-2026-22865Jan 16, 2026risk 0.00cvss —epss 0.00
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered…
- CVE-2026-22816Jan 16, 2026risk 0.00cvss —epss 0.00
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered…
- CVE-2023-49238Jan 9, 2024risk 0.00cvss —epss 0.01
In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an…
- CVE-2023-42445Oct 6, 2023risk 0.00cvss —epss 0.01
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to…
- CVE-2023-44387Oct 5, 2023risk 0.00cvss —epss 0.00
Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting…
- CVE-2023-35946Jun 30, 2023risk 0.00cvss —epss 0.00
Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle…
- CVE-2023-35947Jun 30, 2023risk 0.00cvss —epss 0.00
Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being…
- CVE-2023-26053Mar 2, 2023risk 0.00cvss —epss 0.01
Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or…
- CVE-2022-41575Oct 21, 2022risk 0.00cvss —epss 0.01
A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3.
- CVE-2022-31156Jul 14, 2022risk 0.00cvss —epss 0.00
Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which…
- CVE-2022-30586Jun 6, 2022risk 0.00cvss —epss 0.01
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution.
- CVE-2022-27919Mar 25, 2022risk 0.00cvss —epss 0.02
Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.
- CVE-2022-27225Mar 16, 2022risk 0.00cvss —epss 0.01
Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards…
- CVE-2022-23630Feb 10, 2022risk 0.00cvss —epss 0.01
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency…
- CVE-2021-41589Oct 27, 2021risk 0.00cvss —epss 0.02
In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user…
- CVE-2021-41619Oct 27, 2021risk 0.00cvss —epss 0.03
An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup…
- CVE-2021-41590Oct 27, 2021risk 0.00cvss —epss 0.01
In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be…
- CVE-2021-41586Sep 24, 2021risk 0.00cvss —epss 0.01
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.
Page 1 of 2