Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Gradle Subscribe
Total 41 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-26053 1 Gradle 1 Gradle 2023-03-09 N/A 9.8 CRITICAL
Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.
CVE-2019-15052 1 Gradle 1 Gradle 2023-03-02 5.0 MEDIUM 9.8 CRITICAL
The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.
CVE-2019-11065 2 Fedoraproject, Gradle 2 Fedora, Gradle 2023-03-01 4.3 MEDIUM 5.9 MEDIUM
Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.
CVE-2019-11403 1 Gradle 2 Build Cache Node, Enterprise 2023-01-20 5.0 MEDIUM 9.8 CRITICAL
In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.
CVE-2019-11402 1 Gradle 1 Enterprise 2023-01-20 5.0 MEDIUM 9.8 CRITICAL
In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.
CVE-2022-41575 1 Gradle 1 Enterprise 2022-10-24 N/A 7.5 HIGH
A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3.
CVE-2022-41574 1 Gradle 1 Enterprise 2022-10-11 N/A 7.5 HIGH
An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2.
CVE-2020-15776 1 Gradle 1 Enterprise 2022-09-29 6.8 MEDIUM 8.8 HIGH
An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery.
CVE-2020-15772 1 Gradle 1 Enterprise 2022-09-29 4.0 MEDIUM 4.9 MEDIUM
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. When configuring Gradle Enterprise to integrate with a SAML identity provider, an XML metadata file can be uploaded by an administrator. The server side processing of this file dereferences XML External Entities (XXE), allowing a remote attacker with administrative access to perform server side request forgery.
CVE-2020-15774 1 Gradle 1 Enterprise 2022-09-29 4.6 MEDIUM 6.8 MEDIUM
An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle Enterprise and since closed their browser could reopen their browser to access Gradle Enterprise as that user.
CVE-2020-15775 1 Gradle 1 Enterprise 2022-09-29 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. The /usage page of Gradle Enterprise conveys high level build information such as project names and build counts over time. This page is incorrectly viewable anonymously.
CVE-2020-15768 1 Gradle 2 Enterprise, Enterprise Cache Node 2022-09-29 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS vulnerability. This potentially allows an attacker to impersonate another user. Gradle Enterprise affected application request paths:/info/headers, /cache-info/headers, /admin-info/headers, /distribution-broker-info/headers. Gradle Enterprise Build Cache Node affected application request paths:/cache-node-info/headers.
CVE-2020-15770 1 Gradle 1 Enterprise 2022-09-29 2.1 LOW 5.5 MEDIUM
An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user's password, due to lack of lock-out after excessive failed logins.
CVE-2022-31156 1 Gradle 1 Gradle 2022-07-20 N/A 4.4 MEDIUM
Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files.
CVE-2021-41590 1 Gradle 1 Enterprise 2022-07-12 5.0 MEDIUM 5.3 MEDIUM
In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration user interface available to administrators allows testing the configured SMTP server settings. This test function can be used to identify the listening TCP ports available to the server, revealing information about the internal network environment.
CVE-2022-30587 1 Gradle 1 Gradle Enterprise 2022-06-14 5.0 MEDIUM 7.5 HIGH
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure.
CVE-2022-30586 1 Gradle 1 Gradle 2022-06-14 6.5 MEDIUM 7.2 HIGH
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution.
CVE-2020-11979 4 Apache, Fedoraproject, Gradle and 1 more 37 Ant, Fedora, Gradle and 34 more 2022-05-12 5.0 MEDIUM 7.5 HIGH
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
CVE-2022-25364 1 Gradle 1 Enterprise 2022-05-10 9.3 HIGH 8.1 HIGH
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)
CVE-2022-27919 1 Gradle 1 Enterprise 2022-03-30 7.5 HIGH 9.8 CRITICAL
Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.