CVE-2022-25364

In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)
References
Link Resource
https://security.gradle.com Vendor Advisory
https://security.gradle.com/advisory/2022-02 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*

History

08 Aug 2023, 14:22

Type Values Removed Values Added
CWE CWE-863 CWE-276

10 May 2022, 15:33

Type Values Removed Values Added
First Time Gradle enterprise
CPE cpe:2.3:a:gradle:gradle:*:*:*:*:enterprise:*:*:* cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:*

23 Mar 2022, 19:03

Type Values Removed Values Added
CWE CWE-863
First Time Gradle
Gradle gradle
References (MISC) https://security.gradle.com - (MISC) https://security.gradle.com - Vendor Advisory
References (MISC) https://security.gradle.com/advisory/2022-02 - (MISC) https://security.gradle.com/advisory/2022-02 - Vendor Advisory
CPE cpe:2.3:a:gradle:gradle:*:*:*:*:enterprise:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 9.3
v3 : 8.1

17 Mar 2022, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-03-17 17:15

Updated : 2023-12-10 14:22


NVD link : CVE-2022-25364

Mitre link : CVE-2022-25364

CVE.ORG link : CVE-2022-25364


JSON object : View

Products Affected

gradle

  • enterprise
CWE
CWE-276

Incorrect Default Permissions