CVE-2021-21361

MEDIUM

gradle-vagrant-plugin < 3.0.0 - Sensitive Information Disclosure via Environment Variable Logging

Title source: llm

Description

The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. This is fixed in version 3.0.0.

References (4)

Core 4

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-jpcm-4485-69p7

Patch, Third Party Advisory x_refsource_misc

https://github.com/bmuschko/gradle-vagrant-plugin/issues/19

Patch, Third Party Advisory x_refsource_misc

https://github.com/bmuschko/gradle-vagrant-plugin/pull/20

Exploit, Third Party Advisory x_refsource_misc

https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44

View Exploit ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0118

EPSS Percentile 63.5%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

CWE

CWE-532

Status published

Products (2)

com.bmuschko/gradle-vagrant-plugin 0.6 - 3.0.0Maven

vagrant_project/vagrant < 0.6

Published Mar 09, 2021

Tracked Since Feb 18, 2026