CVE-2022-25364

Name
CVE-2022-25364
Description
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://security.gradle.com/advisory/2022-02
MISC https://security.gradle.com

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gradle:gradle:*:*:*:*:enterprise:*:*:* gradle >= None < 2021.4.2
cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:* enterprise >= None < 2021.4.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
gradle 3.15-community 7.2-r0 Roberto Oliveira <robertoguimaraes8@gmail.com> possibly vulnerable
gradle 3.16-community 7.4.2-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
gradle edge-community 7.5.1-r3 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
gradle 3.17-community 7.5.1-r3 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable