Description
In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in before the legitimate administrator logs in.
References (3)
Core 3
Core References
Vendor Advisory
https://security.gradle.com
Vendor Advisory
https://security.gradle.com/advisory/2023-01
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240216-0003/
Scores
CVSS v3
9.8
EPSS
0.0077
EPSS Percentile
50.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-521
Status
published
Products (1)
gradle/enterprise
< 2023.1
Published
Jan 09, 2024
Tracked Since
Feb 18, 2026