VYPR

Vendor CVEs

Gradle

All CVEs

42 total · sorted by risk
  • CVE-2016-6199CriFeb 7, 2017
    risk 0.64cvss 9.8epss 0.05

    ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.

  • CVE-2025-27148HigFeb 25, 2025
    risk 0.57cvss 8.8epss 0.00

    Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. This library…

  • CVE-2025-24858HigJan 26, 2025
    risk 0.54cvss epss 0.00

    Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed password of the system user. The hash algorithm used by Develocity was chosen according to best practices for password storage and…

  • CVE-2024-46881HigJan 26, 2025
    risk 0.46cvss 7.1epss 0.00

    Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable…

  • CVE-2026-25063Jan 29, 2026
    risk 0.00cvss epss 0.01

    gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious…

  • CVE-2026-22865Jan 16, 2026
    risk 0.00cvss epss 0.00

    Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered…

  • CVE-2026-22816Jan 16, 2026
    risk 0.00cvss epss 0.00

    Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered…

  • CVE-2023-49238Jan 9, 2024
    risk 0.00cvss epss 0.01

    In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an…

  • CVE-2023-42445Oct 6, 2023
    risk 0.00cvss epss 0.01

    Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to…

  • CVE-2023-44387Oct 5, 2023
    risk 0.00cvss epss 0.00

    Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting…

  • CVE-2023-35946Jun 30, 2023
    risk 0.00cvss epss 0.00

    Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle…

  • CVE-2023-35947Jun 30, 2023
    risk 0.00cvss epss 0.00

    Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being…

  • CVE-2023-26053Mar 2, 2023
    risk 0.00cvss epss 0.01

    Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or…

  • CVE-2022-41575Oct 21, 2022
    risk 0.00cvss epss 0.01

    A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3.

  • CVE-2022-31156Jul 14, 2022
    risk 0.00cvss epss 0.00

    Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which…

  • CVE-2022-30586Jun 6, 2022
    risk 0.00cvss epss 0.01

    Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution.

  • CVE-2022-27919Mar 25, 2022
    risk 0.00cvss epss 0.02

    Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.

  • CVE-2022-27225Mar 16, 2022
    risk 0.00cvss epss 0.01

    Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards…

  • CVE-2022-23630Feb 10, 2022
    risk 0.00cvss epss 0.01

    Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency…

  • CVE-2021-41589Oct 27, 2021
    risk 0.00cvss epss 0.02

    In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user…

  • CVE-2021-41619Oct 27, 2021
    risk 0.00cvss epss 0.03

    An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup…

  • CVE-2021-41590Oct 27, 2021
    risk 0.00cvss epss 0.01

    In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be…

  • CVE-2021-41586Sep 24, 2021
    risk 0.00cvss epss 0.01

    In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.

  • CVE-2021-41587Sep 24, 2021
    risk 0.00cvss epss 0.01

    In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources.

  • CVE-2021-41584Sep 24, 2021
    risk 0.00cvss epss 0.01

    Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.

  • CVE-2021-32751Jul 20, 2021
    risk 0.00cvss epss 0.03

    Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user…

  • CVE-2021-29427Apr 13, 2021
    risk 0.00cvss epss 0.01

    In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve…

  • CVE-2021-29428Apr 13, 2021
    risk 0.00cvss epss 0.01

    In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly…

  • CVE-2021-29429Apr 12, 2021
    risk 0.00cvss epss 0.00

    In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through…

  • CVE-2021-26719Feb 9, 2021
    risk 0.00cvss epss 0.01

    A directory traversal issue was discovered in Gradle gradle-enterprise-test-distribution-agent before 1.3.2, test-distribution-gradle-plugin before 1.3.2, and gradle-enterprise-maven-extension before 1.8.2. A malicious actor (with certain credentials) can perform a registration…

  • CVE-2020-15773Sep 18, 2020
    risk 0.00cvss epss 0.00

    An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker can access data as a user (for the duration of the browser session) after previously explicitly authenticating with the…

  • CVE-2020-15767Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a…

  • CVE-2020-15771Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation.

  • CVE-2020-15772Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities…

  • CVE-2020-15774Sep 18, 2020
    risk 0.00cvss epss 0.00

    An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user.

  • CVE-2020-15775Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. The /usage page of Gradle Enterprise conveys high level build information such as project names and build counts over time. This page is incorrectly viewable anonymously.

  • CVE-2020-15776Sep 18, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token,…

  • CVE-2020-15768Sep 18, 2020
    risk 0.00cvss epss 0.02

    An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS…

  • CVE-2020-15769Sep 18, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL.

  • CVE-2019-15052Aug 14, 2019
    risk 0.00cvss epss 0.03

    The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

  • CVE-2019-11403Apr 21, 2019
    risk 0.00cvss epss 0.01

    In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.

  • CVE-2019-11065Apr 9, 2019
    risk 0.00cvss epss 0.01

    Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.