Headline
CVE-2022-41574: Gradle Enterprise - Security Advisories
An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. This is fixed in 2022.3.2.
All advisoriesUnrestricted access to application HTTP endpoint allows arbitrarily emailing installation admin contact and preventing backups
Affected product(s)
- Gradle Enterprise 2020.4 - 2022.3.1
Severity
High
Published at
2022-10-04
Related CVE ID(s)
- CVE-2022-41574
Description
Gradle Enterprise installations before 2022.3.2 inadvertently exposed an internal HTTP endpoint that is used as part of the database backup process. For embedded database installations with backups enabled, a malicious actor could leverage this to prevent backups from occurring and send emails with arbitrary text content to the configured installation administrator contact address.
This endpoint can not be used to send emails to arbitrary recipients or obtain user data.
Mitigation
Gradle Enterprise 2022.3.2 mitigates the vulnerability by preventing unauthorized access to the endpoint. This can be emulated for earlier versions by blocking external access to the /backup request path of the application via an external firewall or request router.
As this vulnerability can potentially prevent backups from occurring according to the configured schedule, users using the embedded database and scheduled backups should verify the presence of adequate backups after upgrading or blocking the request path.