CVE-2021-29427

In Gradle from version 5.1 and before version 7.0 there is a vulnerability
which can lead to information disclosure and/or dependency poisoning.
Repository content filtering is a security control Gradle introduced to
help users specify what repositories are used to resolve specific
dependencies. This feature was introduced in the wake of the “A Confusing
Dependency” blog post. In some cases, Gradle may ignore content filters and
search all repositories for dependencies. This only occurs when repository
content filtering is used from within a pluginManagement block in a
settings file. This may change how dependencies are resolved for Gradle
plugins and build scripts. For builds that are vulnerable, there are two
risks: 1) Information disclosure: Gradle could make dependency requests to
repositories outside your organization and leak internal package
identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could
download a malicious binary from a repository outside your organization due
to name squatting. For a full example and more details refer to the
referenced GitHub Security Advisory. The problem has been patched and
released with Gradle 7.0. Users relying on this feature should upgrade
their build as soon as possible. As a workaround, users may use a company
repository which has the right rules for fetching packages from public
repositories, or use project level repository content filtering, inside
buildscript.repositories. This option is available since Gradle 5.1 when
the feature was introduced.

Notes