PT-2021-18203 · Gradle · Gradle
Zacsweers
·
Published
2021-04-13
·
Updated
2024-03-06
·
CVE-2021-29427
CVSS v3.1
8.0
High
| Vector | AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Gradle versions 5.1 through 6.x
Description:
The issue can lead to information disclosure and/or dependency poisoning due to Gradle ignoring content filters and searching all repositories for dependencies when repository content filtering is used from within a
pluginManagement block in a settings file. This may cause two risks:- Information disclosure: Gradle could make dependency requests to repositories outside the organization and leak internal package identifiers.
- Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside the organization due to name squatting.
Recommendations:
For Gradle versions 5.1 through 6.x, upgrade to Gradle 7.0 as soon as possible to patch the issue.
As a temporary workaround, consider using a company repository with the right rules for fetching packages from public repositories.
Alternatively, use project-level repository content filtering, inside
buildscript.repositories, which is available since Gradle 5.1.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gradle