SB2021041388 - Multiple vulnerabilities in Gradle gradle

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Insecure Temporary File (CVE-ID: CVE-2021-29429)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to remote files accessed through TextResourceFactory being downloaded into the system temporary directory first. A local user with access to the system can view contents of files and gain access to sensitive information.

2) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: CVE-2021-29427)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to Gradle may ignore content filters and search all repositories for dependencies. A remote user with the ability to modify a user program can change user program code on some control systems and execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

• https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
• https://docs.gradle.org/7.0/release-notes.html#security-advisories
• https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395