7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
30.3%
In Gradle from version 5.1 and before version 7.0 there is a vulnerability
which can lead to information disclosure and/or dependency poisoning.
Repository content filtering is a security control Gradle introduced to
help users specify what repositories are used to resolve specific
dependencies. This feature was introduced in the wake of the “A Confusing
Dependency” blog post. In some cases, Gradle may ignore content filters and
search all repositories for dependencies. This only occurs when repository
content filtering is used from within a pluginManagement
block in a
settings file. This may change how dependencies are resolved for Gradle
plugins and build scripts. For builds that are vulnerable, there are two
risks: 1) Information disclosure: Gradle could make dependency requests to
repositories outside your organization and leak internal package
identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could
download a malicious binary from a repository outside your organization due
to name squatting. For a full example and more details refer to the
referenced GitHub Security Advisory. The problem has been patched and
released with Gradle 7.0. Users relying on this feature should upgrade
their build as soon as possible. As a workaround, users may use a company
repository which has the right rules for fetching packages from public
repositories, or use project level repository content filtering, inside
buildscript.repositories
. This option is available since Gradle 5.1 when
the feature was introduced.
Author | Note |
---|---|
ebarretto | Affects: 5.1 to 6.8.3 |
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
30.3%