Multiple vulnerabilities in Gradle gradle
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Insecure Temporary File
EUVDB-ID: #VU63478
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-29429
CWE-ID:
CWE-377 - Insecure Temporary File
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to remote files accessed through TextResourceFactory being downloaded into the system temporary directory first. A local user with access to the system can view contents of files and gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsgradle: 2.12 - 6.9.2
CPE2.3- cpe:2.3:a:Gradle:gradle:2.12:*:*:*:*:*:*:*
- cpe:2.3:a:Gradle:gradle:3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:Gradle:gradle:4.10.3:*:*:*:*:*:*:*
- cpe:2.3:a:Gradle:gradle:5.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:Gradle:gradle:6.9.2:*:*:*:*:*:*:*
https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
https://docs.gradle.org/7.0/release-notes.html#security-advisories
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Inclusion of Functionality from Untrusted Control Sphere
EUVDB-ID: #VU63473
Risk: Medium
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-29427
CWE-ID:
CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to Gradle may ignore content filters and search all repositories for dependencies. A remote user with the ability to modify a user program can change user program code on some control systems and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsgradle: 5.1.0 - 6.8.2
CPE2.3 External linkshttps://docs.gradle.org/7.0/release-notes.html#security-advisories
https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
