CVE-2022-25364

Name
CVE-2022-25364
Description
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://security.gradle.com/advisory/2022-02
MISC https://security.gradle.com

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gradle:gradle:*:*:*:*:enterprise:*:*:* gradle >= None < 2021.4.2
cpe:2.3:a:gradle:enterprise:*:*:*:*:*:*:*:* enterprise >= None < 2021.4.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
gradle 3.15-community 7.2-r0 Roberto Oliveira <robertoguimaraes8@gmail.com> possibly vulnerable
gradle 3.16-community 7.4.2-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
gradle 3.17-community 7.6.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
gradle 3.18-community 8.0.2-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
gradle 3.19-community 8.5-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
gradle 3.20-community 8.7-r1 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
gradle edge-community 8.11.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable