CVE-2022-25364
HIGHGradle Enterprise < 2021.4.2 - Unauthenticated Remote Code Execution via Default Build Cache Configuration
Title source: llmDescription
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://security.gradle.com
Vendor Advisory x_refsource_misc
https://security.gradle.com/advisory/2022-02
Scores
CVSS v3
8.1
EPSS
0.0098
EPSS Percentile
57.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-276
Status
published
Products (1)
gradle/enterprise
< 2021.4.2
Published
Mar 17, 2022
Tracked Since
Feb 18, 2026