CVE-2022-27225

Name of the Vulnerable Software and Affected Versions Gradle Enterprise versions prior to 2021.4.3

Description The issue arises from the use of cleartext data transmission in certain situations by Gradle Enterprise, which utilizes Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies to provide remember-me functionality. However, for backwards compatibility with older Safari versions, a duplicate cookie without the Secure attribute is set, allowing the cookie to be sent via HTTP. This creates a potential for an attacker, who can impersonate the Gradle Enterprise host, to capture a user's login session by tricking them into clicking an http:// link to the server, despite the server requiring HTTPS.

Recommendations For versions prior to 2021.4.3, update to version 2021.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the server via HTTP to minimize the risk of exploitation. Avoid using HTTP links to access the Gradle Enterprise server until the issue is resolved.