SB2021041388 - Multiple vulnerabilities in Gradle gradle

Description

This security bulletin contains information about 2 vulnerabilities.

1) Insecure Temporary File (CVE-ID: CVE-2021-29429)

CWE-ID: CWE-377 - Insecure Temporary File

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to remote files accessed through TextResourceFactory being downloaded into the system temporary directory first. A local user with access to the system can view contents of files and gain access to sensitive information.

2) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: CVE-2021-29427)

CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to Gradle may ignore content filters and search all repositories for dependencies. A remote user with the ability to modify a user program can change user program code on some control systems and execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

• https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
• https://docs.gradle.org/7.0/release-notes.html#security-advisories
• https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395