BIT-GRADLE-2021-29427 Repository content filters do not work in Settings pluginManagement

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies...

gradle.plugin.org.springframework.cloud:spring-cloud-contract-gradle-plugin (>=3.1.0 <=3.1.1), no.skatteetaten.aurora.gradle.plugins:aurora-gradle-plugin (>=4.4.6 <=4.5.2) +14 more potentially affected by CVE-2024-22236 via org.springframework.cloud:spring-cloud-contract-shade (>=3.1.0 <=3.1.1)

org.springframework.cloud:spring-cloud-contract-shade MAVEN version =3.1.0, =3.1.0, =4.4.6, =4.4.6, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.1 - org.springframework.cloud:spr...

0x.plugin.bom:zero-x-plugin-bom (>=0.0.10 <=1.1.0), app.ariadust.dendrobium:app.ariadust.dendrobium.gradle.plugin (>=1.0.0 <=1.0.4) +1534 more potentially affected by CVE-2023-4759 via org.eclipse.jgit:org.eclipse.jgit (>=6.0.0.202111291000-r <=6.6.0.202305301015-r)

org.eclipse.jgit:org.eclipse.jgit MAVEN version =6.0.0.202111291000-r, =0.0.10, =1.0.0, =1.0, =1.0, =2.0, =1.0, =1.0, =3.0, =3.0, =1.0, =3.26.0, =3.26.0, =3.26.0, =3.26.0, =4.23.0 and more Source cves: CVE-2023-4759https:/...

at.zierler.yamlvalidator:at.zierler.yamlvalidator.gradle.plugin (>=1.0.0 <=1.2.1), co.infinum.polyglot-android-client:polyglot-gradle-plugin (>=1.3.0 <=1.4.0) +151 more potentially affected by CVE-2023-24620 via com.esotericsoftware.yamlbeans:yamlbeans (>=1.11 <=1.15)

com.esotericsoftware.yamlbeans:yamlbeans MAVEN version =1.11, =1.0.0, =1.3.0, =1.3.0, =1.0.0, =0.3.0, =0.3.0, =0.3.0, =1.0, =1.0.0, =1.0.3 and more Source cves: CVE-2023-24620 Source advisory: OSV:GHSA-VJ49-J7RC-H54F...

ch.sourcemotion.gradle.vertx.hermes:ch.sourcemotion.gradle.vertx.hermes.gradle.plugin (=0.0.1), ch.sourcemotion.gradle:vertx-hermes-gradle-plugin (=0.0.1) +30 more potentially affected by CVE-2023-34615 via net.pwall.json:jsonutil (>=2.0 <=5.0)

net.pwall.json:jsonutil MAVEN version =2.0, =0.1.0, =0.6.0, =0.6.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.68, =0.31, =0.68, =0.1, =0.6.1 and more Source cves: CVE-2023-34615 Source advisory: OSV:GHSA-W2RR-WVH9-M2M7...

com.diffplug.atplug:atplug-plugin-gradle (>=0.1.0 <=0.1.1), com.diffplug.atplug:com.diffplug.atplug.gradle.plugin (>=0.1.0 <=0.1.1) +50 more potentially affected by CVE-2022-26049 via com.diffplug.gradle:goomph (>=2.0.0 <=3.37.1)

com.diffplug.gradle:goomph MAVEN version =2.0.0, =0.1.0, =0.1.0, =3.32.0, =3.21.0, =3.21.0, =3.21.0, =3.21.0, =3.21.0, =3.21.0, =2.0.0, =3.16.0, =3.18.0 - com.diffplug.gradle.eclipse.excludebuildfolder:com.diffplug.gradle.eclipse.excludebuildfolder.gradle.plugin...

au.net.causal.maven.plugins:boxdb-maven-plugin (=3.2), co.elastic.docker-base:co.elastic.docker-base.gradle.plugin (>=0.0.1 <=0.0.5) +78 more potentially affected by CVE-2022-25914 via com.google.cloud.tools:jib-core (>=0.10.0 <=0.21.0)

com.google.cloud.tools:jib-core MAVEN version =0.10.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.1.0, =1.0, =0.4.0, =0.34.0, =4.3.0, =4.3.0, =4.3.0, =4.3.0, =4.3.0, =4.3.0, =4.4.2 and more Source cves: CVE-2022-25914 Source advisory: OSV:GHSA-936V-CG49-M2G5...

au.net.causal.maven.plugins:boxdb-maven-plugin (=3.2), co.elastic.docker-base:co.elastic.docker-base.gradle.plugin (>=0.0.1 <=0.0.5) +78 more potentially affected by CVE-2022-25914 via com.google.cloud.tools:jib-core (>=0.10.0 <=0.21.0)

com.google.cloud.tools:jib-core MAVEN version =0.10.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.1.0, =1.0, =0.4.0, =0.34.0, =4.3.0, =4.3.0, =4.3.0, =4.3.0, =4.3.0, =4.3.0, =4.4.2 and more Source cves: CVE-2022-25914 Source advisory: SNYK:JAVA-COMGOOGLECLOUDTOOLS-2968871...

CVE-2021-29427

CVE-2021-29427 affects Gradle when using repository content filtering inside a settings file, specifically within a pluginManagement block. Versions 5.1 up to before 7.0 may ignore content filters and search all repositories, potentially allowing information disclosure (external repository hints)...

app.ariadust.dendrobium:app.ariadust.dendrobium.gradle.plugin (>=1.0.0 <=1.0.4), aspectj.AspectjGradlePlugin:aspectj.AspectjGradlePlugin.gradle.plugin (>=0.0.2 <=0.0.3) +3229 more potentially affected by CVE-2020-17521 via org.codehaus.groovy:groovy-all (>=2.0.0 <=2.4.20)

org.codehaus.groovy:groovy-all MAVEN version =2.0.0, =1.0.0, =0.0.2, =0.2.DEV, =0.2.DEV, =2.1.10, =2.0.0, =2.0.0, =3.5.4-rc.0, =3.5.9, =3.5.9, =3.5.15, =3.5.15, =3.6.0-rc.1 - au.com.dius:pact-jvm-consumer-junit2.10 =2.4.20 and more Source cves: CVE-2020-17521 Source advisory: OSV:GHSA-RCJJ-H6GH-J...