CVE-2020-15767

Published: Sep 18, 2020Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.

Affected (1)

Products: Gradle: Enterprise

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gradle Enterprise	Before 2020.2.5

Related CWEs

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

References (4)

https://github.com/gradle/gradle/security/advisories

Source: cve@mitre.org

Third Party Advisory

https://security.gradle.com/advisory/CVE-2020-15767

Source: cve@mitre.org

Vendor Advisory

https://github.com/gradle/gradle/security/advisories

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.gradle.com/advisory/CVE-2020-15767

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.