VYPR

Gradle

by Gradle

Source repositories

CVEs (39)

  • CVE-2021-41587Sep 24, 2021
    risk 0.00cvss epss 0.01

    In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources.

  • CVE-2021-41584Sep 24, 2021
    risk 0.00cvss epss 0.01

    Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.

  • CVE-2021-32751Jul 20, 2021
    risk 0.00cvss epss 0.03

    Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user…

  • CVE-2021-29427Apr 13, 2021
    risk 0.00cvss epss 0.01

    In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve…

  • CVE-2021-29428Apr 13, 2021
    risk 0.00cvss epss 0.01

    In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly…

  • CVE-2021-29429Apr 12, 2021
    risk 0.00cvss epss 0.00

    In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through…

  • CVE-2021-26719Feb 9, 2021
    risk 0.00cvss epss 0.01

    A directory traversal issue was discovered in Gradle gradle-enterprise-test-distribution-agent before 1.3.2, test-distribution-gradle-plugin before 1.3.2, and gradle-enterprise-maven-extension before 1.8.2. A malicious actor (with certain credentials) can perform a registration…

  • CVE-2020-15773Sep 18, 2020
    risk 0.00cvss epss 0.00

    An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker can access data as a user (for the duration of the browser session) after previously explicitly authenticating with the…

  • CVE-2020-15767Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a…

  • CVE-2020-15771Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation.

  • CVE-2020-15772Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities…

  • CVE-2020-15774Sep 18, 2020
    risk 0.00cvss epss 0.00

    An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user.

  • CVE-2020-15775Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. The /usage page of Gradle Enterprise conveys high level build information such as project names and build counts over time. This page is incorrectly viewable anonymously.

  • CVE-2020-15776Sep 18, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token,…

  • CVE-2020-15768Sep 18, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS…

  • CVE-2020-15769Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL.

  • CVE-2019-15052Aug 14, 2019
    risk 0.00cvss epss 0.03

    The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

  • CVE-2019-11403Apr 21, 2019
    risk 0.00cvss epss 0.01

    In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.

  • CVE-2019-11065Apr 9, 2019
    risk 0.00cvss epss 0.01

    Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.

Page 2 of 2