Sensitive information disclosure via log in com.bmuschko:gradle-vagrant-plugin

Impact The com.bmuschko:gradle-vagrant-plugin Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. Patch...

app.pickmaven:businessdays (>=1.0.0 <=1.0.1), br.com.martinlabs:martinlabs-commons (=3.4) +834 more potentially affected by CVE-2018-10237 via com.google.guava:guava-jdk5 (>=13.0 <=17.0)

com.google.guava:guava-jdk5 MAVEN version =13.0, =1.0.0, =0.1, =0.1, =4.0.2, =1.0, =1.0, =1.0.16, =1.0.16, =2.4.1 and more Source cves: CVE-2018-10237 Source advisory: OSV:GHSA-MVR2-9PJ6-7W5J...

CVE-2020-7599

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

Code injection

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

CVE-2020-7599

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

Insertion of Sensitive Information into Log File

Overview com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin is a plugin that publishes plugins to the Gradle Plugin Portal. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while...

DEBIAN-CVE-2019-16370

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900...

Improper Restriction of XML External Entity Reference in DiffPlug Spotless

In DiffPlug Spotless before 1.20.0 library and Maven plugin and before 3.20.0 Gradle plugin, the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a...

CVE-2019-9843

In DiffPlug Spotless before 1.20.0 library and Maven plugin and before 3.20.0 Gradle plugin, the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a...

com.bytekast.serverless-local-apigateway:com.bytekast.serverless-local-apigateway.gradle.plugin (>=0.4 <=0.5), gradle.plugin.com.bytekast:serverless-local-apigateway (>=0.4 <=0.5) +1 more potentially affected by CVE-2019-11808 via io.ratpack:ratpack-groovy (>=0.9.0 <=1.6.0)

io.ratpack:ratpack-groovy MAVEN version =0.9.0, =0.4, =0.4, =0.9.0, =1.10.0-milestone-39 Source cves: CVE-2019-11808 Source advisory: OSV:GHSA-54MG-VGRP-MWX9...

com.gabrielittner.ktlint:ktlint-rules (=0.1.0), com.github.gantsign.maven:ktlint-maven-plugin (>=0.9.8 <=0.9.17) +14 more potentially affected by CVE-2019-1010260 via com.github.shyiko.ktlint:ktlint-core (>=0.10.0 <=0.2.2)

com.github.shyiko.ktlint:ktlint-core MAVEN version =0.10.0, =0.9.8, =0.10.0, =0.10.0, =0.10.0, =0.2.0, =0.2.0, =0.2.0, =1.4.0, =0.8.6, =0.8.6, =1.0.0-RC10, =1.0.0-RC10, =1.0.0.RC9.2 and more Source cves: CVE-2019-1010260 Source advisory: OSV:GHSA-R8H9-HQ9C-2P5C...

com.github.kulya:jmeter-gradle-plugin (>=1.3.1-2.6 <=1.3.4-2.13), com.lazerycode.jmeter:jmeter-maven-plugin (>=1.4 <=1.10.1) +9 more potentially affected by CVE-2019-0187 via org.apache.jmeter:ApacheJMeter (>=2.10 <=5.0)

org.apache.jmeter:ApacheJMeter MAVEN version =2.10, =1.3.1-2.6, =1.4, =1.0.0-2.13, =1.0.0-2.13, =0.6.2beta3-2.13, =0.6.2beta3-2.13, =6.3.0, =6.2.0, =6.10.0 Source cves: CVE-2019-0187 Source advisory: OSV:GHSA-WG37-7MRV-CFWM...

org.cloudfoundry:cf-gradle-plugin (>=1.0.1 <=1.0.3), org.cloudfoundry:cf-maven-plugin (>=1.0.1 <=1.0.3) +5 more potentially affected by CVE-2018-1260 via org.springframework.security.oauth:spring-security-oauth2 (>=1.0.0.RELEASE <=1.0.2.RELEASE)

org.springframework.security.oauth:spring-security-oauth2 MAVEN version =1.0.0.RELEASE, =1.0.1, =1.0.1, =1.0.1, =0.9.0, =0.9.0, =0.9.0, =0.9.0, =1.0.22 Source cves: CVE-2018-1260 Source advisory: OSV:GHSA-RRPM-PJ7P-7J9Q...

UPDATE: OWASP Dependency-Check 2.1.0!

PenTestIT RSS Feed My first post about this open source OWASP project was about an older version. This post discusses the changes made to the open source software composition analysis utility in the latest release yesterday. This is the OWASP Dependency-Check 2.1.0! What I like about this release...

ProGuard - Java class file Shrinker, Optimizer, Obfuscator and Preverifier

ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes bytecode and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names...