Zacsweers

Name of the Vulnerable Software and Affected Versions: Gradle versions 5.1 through 6.x Description: The issue can lead to information disclosure and/or dependency poisoning due to Gradle ignoring content filters and searching all repositories for dependencies when repository content filtering is used from within a `pluginManagement` block in a settings file. This may cause two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside the organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside the organization due to name squatting. Recommendations: For Gradle versions 5.1 through 6.x, upgrade to Gradle 7.0 as soon as possible to patch the issue. As a temporary workaround, consider using a company repository with the right rules for fetching packages from public repositories. Alternatively, use project-level repository content filtering, inside `buildscript.repositories`, which is available since Gradle 5.1.