CVE-2021-41619

Name of the Vulnerable Software and Affected Versions Gradle Enterprise versions prior to 2021.1.2

Description The issue concerns potential remote code execution via the application startup configuration. The installation configuration user interface, available to administrators, allows specifying arbitrary Java Virtual Machine startup options. Some options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host if an attacker gains administrative access to the application.

Recommendations For Gradle Enterprise versions prior to 2021.1.2, update to version 2021.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the installation configuration user interface to prevent potential abuse of the Java Virtual Machine startup options. Avoid using options like -XX:OnOutOfMemoryError that allow specifying commands to be run on the host until the issue is resolved.