BIT-GRADLE-2023-35947 Path traversal vulnerabilities in handling of Tar archives in Gradle

Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the...

BIT-GRADLE-2023-42445 Possible local file exfiltration by XML External entity injection

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack OOB-XXE, just parsing XML can lead to exfiltration of local tex...

BIT-GRADLE-2023-44387 Gradle has incorrect permission assignment for symlinked files used in copy or archiving operations

Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to...

GHSA-4265-CCF5-PHJ5 vulnerabilities

Vulnerabilities for packages: celeborn, trino, gradle, dotty, spdx-tools-java, opensearch, tez, dependency-track, wavefront-proxy...

GHSA-4265-CCF5-PHJ5 vulnerabilities

Vulnerabilities for packages: gradle, tez, dotty, opensearch, spdx-tools-java, celeborn, wavefront-proxy, kayenta, dependency-track, kayenta-fips, hadoop-client-modules, trino, elasticsearch...

GHSA-4G9R-VXHX-9PGX vulnerabilities

Vulnerabilities for packages: celeborn, trino, gradle, dotty, spdx-tools-java, opensearch, tez, dependency-track, wavefront-proxy...

CVE-2024-26308 vulnerabilities

Vulnerabilities for packages: gradle, tez, dotty, opensearch, spdx-tools-java, celeborn, wavefront-proxy, kayenta, dependency-track, kayenta-fips, hadoop-client-modules, trino, elasticsearch...

CVE-2024-26308 vulnerabilities

Vulnerabilities for packages: celeborn, trino, gradle, dotty, spdx-tools-java, opensearch, tez, dependency-track, wavefront-proxy...

CVE-2024-25710 vulnerabilities

Vulnerabilities for packages: celeborn, trino, gradle, dotty, spdx-tools-java, opensearch, tez, dependency-track, wavefront-proxy...

CVE-2024-25710 vulnerabilities

Vulnerabilities for packages: gradle, tez, dotty, opensearch, spdx-tools-java, celeborn, wavefront-proxy, kayenta, dependency-track, kayenta-fips, hadoop-client-modules, trino, elasticsearch...

The vulnerability of the Gradle plugin for the Quarkus Java framework, which allows a hacker to exploit and disclose protected information

The vulnerability of the Gradle plugin for the Quarkus Java framework is related to the disclosure of information through environment variables. Exploiting this vulnerability allows an attacker to disclose the protected information...

cn.hserver:hserver-plugin-beetlsql (>=3.1.1 <=3.2.M2), com.ejdoc:jdocGenerate (>=0.6.2 <=0.6.6) +72 more potentially affected by CVE-2024-22533 via com.ibeetl:beetl-core (>=3.12.0.RELEASE <=3.15.12.RELEASE)

com.ibeetl:beetl-core MAVEN version =3.12.0.RELEASE, =3.1.1, =0.6.2, =2.0.0, =2.6.0-release, =2.6.0, =2.6.0-release, =2.6.0, =3.12.0.RELEASE, =3.15.0.RELEASE, =3.15.0.RELEASE, =3.12.0.RELEASE, =3.14.1.RELEASE, =3.12.0.RELEASE, =3.14.1.RELEASE, =3.14.1.RELEASE, =3.15.12.RELEASE and more Source cve...

gradle.plugin.org.springframework.cloud:spring-cloud-contract-gradle-plugin (>=3.1.0 <=3.1.1), no.skatteetaten.aurora.gradle.plugins:aurora-gradle-plugin (>=4.4.6 <=4.5.2) +14 more potentially affected by CVE-2024-22236 via org.springframework.cloud:spring-cloud-contract-shade (>=3.1.0 <=3.1.1)

org.springframework.cloud:spring-cloud-contract-shade MAVEN version =3.1.0, =3.1.0, =4.4.6, =4.4.6, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.1 - org.springframework.cloud:spr...

gradle.plugin.org.springframework.cloud:spring-cloud-contract-gradle-plugin (=4.1.0), org.springframework.cloud.contract:org.springframework.cloud.contract.gradle.plugin (=4.1.0) +10 more potentially affected by CVE-2024-22236 via org.springframework.cloud:spring-cloud-contract-shade (=4.1.0)

org.springframework.cloud:spring-cloud-contract-shade MAVEN version =4.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.cloud:spring-cloud-contract-shade and may be impacted: -...

MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries

Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate. "Access to projects can be hijacked through domain name purchases and since most default build configurations a...

CVE-2023-49238

In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation in certain installation scenarios because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in befor...

CVE-2023-49238

In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation in certain installation scenarios because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in befor...

CVE-2023-49238

In Gradle Enterprise before 2023.1, a non-unique initial system user password can allow a remote attacker to access a new installation in certain scenarios, potentially before the legitimate administrator logs in. This is classified as a high-severity issue (CVSS v3.1: CRITICAL) with network acce...

CVE-2023-49238

In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation in certain installation scenarios because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in befor...

Gradle Security Vulnerabilities

Gradle is a set of JVM-based project building tools from Gradle, Inc. that supports maven, Ivy repositories, and more. A security vulnerability exists in Gradle Enterprise versions prior to 2023.1, which stems from an initial system user password that is not unique and could allow a remote attack...