CVE-2020-7599

Name of the Vulnerable Software and Affected Versions com.gradle.plugin-publish versions prior to 0.11.0

Description The issue allows for the insertion of sensitive information into log files. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible, as it is in many popular public CI systems like TravisCI, this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.

Recommendations For versions prior to 0.11.0, update to version 0.11.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the --info log level flag when publishing Gradle plugins to minimize the risk of exploitation. Restrict access to build logs to prevent publicly visible AWS pre-signed URLs.