CVE-2019-15052

Published: Aug 14, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

Affected (1)

Products: Gradle: Gradle

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gradle Gradle	Before 5.6

Related CWEs

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (6)

https://github.com/gradle/gradle/issues/10278

Source: cve@mitre.org

ExploitIssue TrackingThird Party Advisory

https://github.com/gradle/gradle/pull/10176

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/gradle/gradle/issues/10278

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://github.com/gradle/gradle/pull/10176

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.