CVE-2020-15776
HIGHGradle Enterprise < 2020.2.4 - Incorrect Permission Assignment
Title source: ruleDescription
An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://github.com/gradle/gradle/security/advisories
Vendor Advisory x_refsource_confirm
https://security.gradle.com/advisory/CVE-2020-15776
Third Party Advisory x_refsource_misc
https://cwe.mitre.org/data/definitions/1004.html
Scores
CVSS v3
8.8
EPSS
0.0060
EPSS Percentile
69.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-732
Status
published
Products (1)
gradle/enterprise
2018.2 - 2020.2.4
Published
Sep 18, 2020
Tracked Since
Feb 18, 2026