CVE-2020-15777

The CVE-2020-15777 issue affects the Maven Extension plugin for Gradle Enterprise prior to version 1.6. The plugin uses a socket connection to send serialized Java objects and deserialization is not restricted to an allow-list, enabling code execution via a malicious deserialization gadget chain....

CVE-2020-15777

An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious deserialization...

PT-2020-14624 · Gradle · Maven Extension Plugin

Name of the Vulnerable Software and Affected Versions: Maven Extension plugin versions prior to 1.6 for Gradle Enterprise Description: An issue was discovered in the Maven Extension plugin, where the extension uses a socket connection to send serialized Java objects. Deserialization is not...

app.pickmaven:businessdays (>=1.0.0 <=1.0.1), br.com.martinlabs:martinlabs-commons (=3.4) +834 more potentially affected by CVE-2018-10237 via com.google.guava:guava-jdk5 (>=13.0 <=17.0)

com.google.guava:guava-jdk5 MAVEN version =13.0, =1.0.0, =0.1, =0.1, =4.0.2, =1.0, =1.0, =1.0.16, =1.0.16, =2.4.1 and more Source cves: CVE-2018-10237 Source advisory: OSV:GHSA-MVR2-9PJ6-7W5J...

CVE-2020-7599

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

CVE-2020-7599

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

Code injection

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

CVE-2020-7599

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

Insertion of Sensitive Information into Log File

Overview com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin is a plugin that publishes plugins to the Gradle Plugin Portal. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while...

Automatic API Attack Tool - Customizable API Attack Tool Takes An API Specification As An Input, Generates And Runs Attacks That Are Based On It As An Output

Imperva's customizable API attack tool takes an API specification as an input, and generates and runs attacks that are based on it as an output. The tool is able to parse an API specification and create fuzzing attack scenarios based on what is defined in the API specification. Each endpoint is...

CVE-2019-16370

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900...

Information Disclosure

gradle-info-plugin is vulnerable to information disclosure. User credentials are not stripped from the Git repository URL...

CVE-2019-15052

A flaw was found in Gradle, where the HTTP client sends credentials originally meant for the configured host, to all subsequent hosts that the request redirects. This flaw allows a leak of the authentication token to external entities...

High severity vulnerability that affects generator-jhipster

Generated code uses repository configuration that downloads over HTTP instead of HTTPS Impact Gradle users were using the http://repo.spring.io/plugins-release repositories in plain HTTP, and not HTTPS, so a man-in-the-middle attack was possible at build time. Patches Maven users should at least...

DEBIAN-CVE-2019-16370

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900...

CVE-2019-16370

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900...

CVE-2019-16370

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900...

Denial of service

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900...

UBUNTU-CVE-2019-16370

The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900...

CVE-2019-16370

CVE-2019-16370 affects the PGP signing plugin for Gradle up to version 6.0. The root cause is reliance on SHA-1, enabling an attacker to replace an artifact with another having the same SHA-1 digest. This could permit spoofing/ tampering of artifacts. remediation: upgrade Gradle to 6.0 or later (...