CVE-2020-7599

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.

CVSS v3 6.5 MEDIUM
CVSS v2.0 3.3 LOW

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

3.3^/10

CVSS v2.0 : LOW

Vector : AV:A/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 6.5 / Impact : 2.9

Access Vector ADJACENT_NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://blog.gradle.org/plugin-portal-update	Vendor Advisory
https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gradle:plugin_publishing:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-03-30 19:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-7599

Mitre link : CVE-2020-7599

CVE.ORG link : CVE-2020-7599

JSON object : View

Products Affected

gradle

plugin_publishing

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2020-7599", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.3, "accessVector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.5, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2020-03-30T19:15:17.467", "references": [{"url": "https://blog.gradle.org/plugin-portal-update", "tags": ["Vendor Advisory"], "source": "report@snyk.io"}, {"url": "https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866", "tags": ["Third Party Advisory"], "source": "report@snyk.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own."}, {"lang": "es", "value": "Todas las versiones de com.gradle.plugin-publishing anteriores a 0.11.0, son vulnerables a la Inserci\u00f3n de Informaci\u00f3n Confidencial en el Archivo de Registro (Log File). Cuando un autor del plugin publica un plugin de Gradle mientras ejecuta Gradle con el flag de nivel de registro --info, Gradle Logger registra una URL pre-firmada de AWS. Si este registro de compilaci\u00f3n es visible p\u00fablicamente (como lo es en muchos sistemas de CI p\u00fablicos populares como TravisCI), esta URL pre-firmada por AWS permitir\u00eda que un actor malicioso reemplace un plugin subido recientemente por el suyo."}], "lastModified": "2020-04-02T14:48:45.827", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gradle:plugin_publishing:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7375D0C7-B1FD-4EAD-A388-F9CA9A14F222", "versionEndExcluding": "0.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "report@snyk.io"}