Multiple vulnerabilities in Gradle gradle
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-29429 CVE-2021-29427 |
| CWE-ID | CWE-377 CWE-829 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
gradle Other software / Other software solutions |
| Vendor | Gradle |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Insecure Temporary File
EUVDB-ID: #VU63478
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29429
CWE-ID:
CWE-377 - Insecure Temporary File
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to remote files accessed through TextResourceFactory being downloaded into the system temporary directory first. A local user with access to the system can view contents of files and gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsgradle: 2.12 - 6.9.2
External linkshttp://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
http://docs.gradle.org/7.0/release-notes.html#security-advisories
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Inclusion of Functionality from Untrusted Control Sphere
EUVDB-ID: #VU63473
Risk: Medium
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29427
CWE-ID:
CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to Gradle may ignore content filters and search all repositories for dependencies. A remote user with the ability to modify a user program can change user program code on some control systems and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsgradle: 5.1.0 - 6.8.2
External linkshttp://docs.gradle.org/7.0/release-notes.html#security-advisories
http://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
