Description
Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed password of the system user. The hash algorithm used by Develocity was chosen according to best practices for password storage and provides some protection against brute-force attempts. The applicable severity of this vulnerability depends on whether a Develocity server is accessible by external or unauthorized users, and the complexity of the System User password.
References (1)
Core 1
Core References
Vendor Advisory
https://security.gradle.com/advisory/2025-01
Scores
CVSS v4
8.3
EPSS
0.0044
EPSS Percentile
34.5%
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-201
Status
published
Products (3)
Gradle/Enterprise
2020.4 - 2024.1.9
Gradle/Enterprise
2024.2 - 2024.2.7
Gradle/Enterprise
2024.3 - 2024.3.1
Published
Jan 26, 2025
Tracked Since
Feb 18, 2026