CVE-2021-29428

Name of the Vulnerable Software and Affected Versions: Gradle versions prior to 7.0

Description: The issue affects Gradle builds on Unix-like systems, where the system temporary directory can be created with open permissions, allowing multiple users to create and delete files within it. This can lead to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. The vulnerability impacts builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. Users on Windows or modern versions of macOS are not affected. Additionally, users on Unix-like operating systems with the "sticky" bit set on their system temporary directory are also not vulnerable.

Recommendations: For Gradle versions prior to 7.0, ensure that the "sticky" bit is set on the system temporary directory to prevent exploitation. As an alternative, move the Java temporary directory by setting the System Property java.io.tmpdir to a new path that limits permissions to the build user only. Update to Gradle version 7.0 or later, which includes the patch for this issue.