This Week in Spring - June 4th, 2024

Hi, Spring fans, from London! I'm in this fabulous country doing my level-headed best to refrain from dooing Mr. Bean bits, because, honestly, if I - an avid and prolific fan of Spring and its many beans - can't be "Mr. Bean," then I'm glad Rowan Atkinson is! I'm here for a SpringOne Tour event,...

RHEL 6 : gradle (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - gradle: Possible local text file exfiltration by XML External entity injection CVE-2023-42445 - gradle:...

SBOM support in Spring Boot 3.3

Spring Boot 3.3.0 has been released, and it contains support for SBOMs. SBOM stands for "Software Bill of Materials" and describes the components used to build a software artifact. In the context of this blog post, that's your Spring Boot application. These SBOMs are useful because they describe...

SUSE: Security Advisory (SUSE-SU-2024:1119-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : gradle, gradle-bootstrap (SUSE-SU-2024:1119-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1119-1 advisory. - The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for...

openSUSE Security Advisory (SUSE-SU-2024:1119-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE-SU-2024:1119-1 Security update for gradle, gradle-bootstrap

This update for gradle, gradle-bootstrap fixes the following issues: - CVE-2021-29429: Fixed information disclosure through temporary directory permissions bsc1184799. - CVE-2019-15052: Fixed authentication credentials disclosure bsc1145903. gradle: - Fixed RPM package building issues due to...

BIT-GRADLE-2021-29427 Repository content filters do not work in Settings pluginManagement

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies...

BIT-GRADLE-2021-29428 Local privilege escalation through system temporary directory

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreatin...

BIT-GRADLE-2021-29429 Information disclosure through temporary directory permissions

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded...

BIT-GRADLE-2021-32751 Arbitrary code execution via specially crafted environment variables

Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the application plugin and the gradlew script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. Thi...

BIT-GRADLE-2021-41584

Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response information disclosure of possibly sensitive build/configuration details via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header...

BIT-GRADLE-2021-41586

In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password...

BIT-GRADLE-2021-41587

In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources...

BIT-GRADLE-2021-41588

In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys...

BIT-GRADLE-2022-23630 Dependency verification bypass in Gradle

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled ...

BIT-GRADLE-2022-30586

Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution...

BIT-GRADLE-2022-31156 Gradle's dependency verification can ignore checksum verification when signature verification cannot be performed

Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that...

BIT-GRADLE-2023-26053 Gradle usage of long IDs for PGP keys opens potential for collision attacks

Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs 64bits for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a trusted-key or pgp element in their...

BIT-GRADLE-2023-35946 Dependency cache path traversal in Gradle

Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to writ...