Gradle

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-15768 1Gradle 2Enterprise Enterprise Cache Node Nov 21, 2024 Sep 18, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication c...Show more An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS vulnerability. This potentially allows an attacker to impersonate another user. Gradle Enterprise affected application request paths:/info/headers, /cache-info/headers, /admin-info/headers, /distribution-broker-info/headers. Gradle Enterprise Build Cache Node affected application request paths:/cache-node-info/headers.Show less
CVE-2020-15767 1Gradle 1Enterprise Nov 21, 2024 Sep 18, 2020 N/A· v4 5.3 MEDIUM· v3 2.6 LOW· v2 An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP...Show more An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.Show less
CVE-2020-15777 1Gradle 1Maven Nov 21, 2024 Aug 25, 2020 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus all...Show more An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious deserialization gadget chain. The socket is not bound exclusively to localhost. The port this socket is assigned to is randomly selected and is not intentionally exposed to the public (either by design or documentation). This could potentially be used to achieve remote code execution and local privilege escalation.Show less
CVE-2020-7599 1Gradle 1Plugin Publishing Nov 21, 2024 Mar 30, 2020 N/A· v4 6.5 MEDIUM· v3 3.3 LOW· v2 All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level fl...Show more All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.Show less
CVE-2019-16370 1Gradle 1Gradle Nov 21, 2024 Sep 16, 2019 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-490...Show more The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.Show less
CVE-2019-15052 1Gradle 1Gradle Nov 21, 2024 Aug 14, 2019 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the...Show more The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.Show less
CVE-2019-11403 1Gradle 2Build Cache Node Enterprise Nov 21, 2024 Apr 22, 2019 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.
CVE-2019-11402 1Gradle 1Enterprise Nov 21, 2024 Apr 22, 2019 N/A· v4 9.8 CRITICAL· v3 5.0 MEDIUM· v2 In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.
CVE-2019-11065 2Fedoraproject Gradle 2Fedora Gradle Nov 21, 2024 Apr 10, 2019 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a...Show more Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.Show less
CVE-2016-6199 1Gradle 1Gradle May 13, 2026 Feb 7, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.

Previous 1 23