CVE-2024-46881

Name of the Vulnerable Software and Affected Versions: Develocity versions 2023.3.X through 2023.4.X Develocity versions 2023.3.X through 2024.1.7 Develocity versions 2023.4.X through 2024.1.7 Develocity versions prior to 2024.1.8

Description: The issue arises from incorrect access control in Develocity, where project-level access control configuration introduced in Enterprise Config schema version 8 is not properly migrated to versions 9 and 10. This results in project settings being reset to their defaults when an old schema is loaded, disabling project-level access control and disclosing previously restricted project information. This typically occurs when a Develocity instance is upgraded from an earlier version. The flaw can only be triggered via administrator access and cannot be forced by an external attacker.

Recommendations: Develocity version 2023.3.X: Upgrade to version 2024.1.8 or later to fix the issue. Develocity version 2023.4.X: Upgrade to version 2024.1.8 or later to fix the issue. Develocity versions prior to 2024.1.8: Upgrade to version 2024.1.8 or later to fix the issue.