CVE-2021-41589

Name of the Vulnerable Software and Affected Versions Gradle Enterprise versions prior to 2021.3 Enterprise Build Cache Node versions prior to 10.0

Description The issue concerns potential cache poisoning and remote code execution when running the build cache node with its default configuration, which allows anonymous access to the configuration user interface and anonymous write access to the build cache. A malicious actor with network access can populate the cache with manipulated entries that may execute malicious code as part of a build process. This applies to both the build cache provided with Gradle Enterprise and the separate build cache node service.

Recommendations For Gradle Enterprise versions prior to 2021.3, update to version 2021.3 or later to resolve the issue. For Enterprise Build Cache Node versions prior to 10.0, update to version 10.0 or later to resolve the issue. As a temporary workaround, consider changing the default open configuration to restrict access to the build cache and the configuration user interface to prevent anonymous access and potential cache poisoning.