5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
5.3%
In Gradle before version 7.0, files created with open permissions in the
system temporary directory can allow an attacker to access information
downloaded by Gradle. Some builds could be vulnerable to a local
information disclosure. Remote files accessed through TextResourceFactory
are downloaded into the system temporary directory first. Sensitive
information contained in these files can be exposed to other local users on
the same system. If you do not use the TextResourceFactory
API, you are
not vulnerable. As of Gradle 7.0, uses of the system temporary directory
have been moved to the Gradle User Home directory. By default, this
directory is restricted to the user running the build. As a workaround, set
a more restrictive umask that removes read access to other users. When
files are created in the system temporary directory, they will not be
accessible to other users. If you are unable to change your system’s umask,
you can move the Java temporary directory by setting the System Property
java.io.tmpdir
. The new path needs to limit permissions to the build user
only.
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
5.3%