Filtered by vendor Gradle
Subscribe
Total
47 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-15777 | 1 Gradle | 1 Maven | 2023-12-10 | 4.6 MEDIUM | 7.8 HIGH |
An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious deserialization gadget chain. The socket is not bound exclusively to localhost. The port this socket is assigned to is randomly selected and is not intentionally exposed to the public (either by design or documentation). This could potentially be used to achieve remote code execution and local privilege escalation. | |||||
CVE-2019-16370 | 1 Gradle | 1 Gradle | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900. | |||||
CVE-2019-11403 | 1 Gradle | 2 Build Cache Node, Enterprise | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page. | |||||
CVE-2019-15052 | 1 Gradle | 1 Gradle | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007. | |||||
CVE-2019-11065 | 2 Fedoraproject, Gradle | 2 Fedora, Gradle | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. | |||||
CVE-2019-11402 | 1 Gradle | 1 Enterprise | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format. | |||||
CVE-2016-6199 | 1 Gradle | 1 Gradle | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. |