CVE-2020-15772

Name of the Vulnerable Software and Affected Versions Gradle Enterprise versions 2018.5 through 2020.2.4

Description An issue allows a remote attacker with administrative access to perform server side request forgery when configuring Gradle Enterprise to integrate with a SAML identity provider. This is due to the server side processing of an uploaded XML metadata file dereferencing XML External Entities (XXE).

Recommendations For Gradle Enterprise versions 2018.5 through 2020.2.4, as a temporary workaround, consider restricting access to the XML metadata file upload feature until a patch is available. Restrict administrative access to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.