#VU63473 Inclusion of Functionality from Untrusted Control Sphere in gradle - CVE-2021-29427

Cybersecurity Help s.r.o.

Published: 2022-05-20

Vulnerability identifier: #VU63473

Vulnerability risk: Medium

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-29427

CWE-ID: CWE-829

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
gradle
Other software / Other software solutions

Vendor: Gradle

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to Gradle may ignore content filters and search all repositories for dependencies. A remote user with the ability to modify a user program can change user program code on some control systems and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

gradle: 5.1.0 - 5.6.0, 6.0.0 - 6.8.2

External links
https://docs.gradle.org/7.0/release-notes.html#security-advisories
https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Gradle gradle