CVE-2021-29429

Name of the Vulnerable Software and Affected Versions: Gradle versions prior to 7.0

Description: The issue allows an attacker to access information downloaded by Gradle due to files created with open permissions in the system temporary directory. This can lead to a local information disclosure, particularly affecting builds that use the TextResourceFactory API. Sensitive information in downloaded files can be exposed to other local users on the same system. As of Gradle 7.0, the system temporary directory is no longer used, and instead, the Gradle User Home directory is utilized, which is restricted to the user running the build by default.

Recommendations: For versions prior to 7.0, as a temporary workaround, consider setting a more restrictive umask that removes read access to other users. This will prevent files created in the system temporary directory from being accessible to other users. Alternatively, if you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property java.io.tmpdir to a new path that limits permissions to the build user only.