CVE-2020-15767
MEDIUMGradle Enterprise < 2020.2.5 - Missing Encryption of Sensitive Data in CSRF Cookie
Title source: llmDescription
An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/gradle/gradle/security/advisories
Vendor Advisory x_refsource_confirm
https://security.gradle.com/advisory/CVE-2020-15767
Scores
CVSS v3
5.3
EPSS
0.0054
EPSS Percentile
41.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-311
Status
published
Products (1)
gradle/enterprise
< 2020.2.5
Published
Sep 18, 2020
Tracked Since
Feb 18, 2026