Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-15768: Gradle Enterprise - Security Advisories

An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS vulnerability. This potentially allows an attacker to impersonate another user. Gradle Enterprise affected application request paths:/info/headers, /cache-info/headers, /admin-info/headers, /distribution-broker-info/headers. Gradle Enterprise Build Cache Node affected application request paths:/cache-node-info/headers.

CVE
#xss#vulnerability#java#auth#gradle

All advisoriesPotential disclosure of session cookies via header reflection

Affected product(s)

  • Gradle Enterprise 2017.3 - 2020.2.4
  • Gradle Enterprise Build Cache Node 1.0 - 9.2

Severity

Critical

Published at

2020-09-15

Related CVE ID(s)

  • CVE-2020-15768

Description

Unrestricted HTTP header reflection in Gradle Enterprise allows remote attackers to obtain authentication cookies, if they are able to discover a separate XSS vulnerability. This potentially allows an attacker to impersonate another user.

Gradle Enterprise affected application request paths:

  • /info/headers
  • /cache-info/headers
  • /admin-info/headers
  • /distribution-broker-info/headers

Gradle Enterprise Build Cache Node affected application request paths:

  • /cache-node-info/headers

Mitigation

The issue can be mitigated by upgrading to:

  • Gradle Enterprise 2020.2.5
  • Gradle Build Cache Node 9.3

Or alternatively by blocking the above request paths.

Credit

This issue was responsibly reported by Compass Security.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907