Headline
CVE-2022-41575: Gradle Enterprise - Security Advisories
A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of application data (e.g., cleartext credentials). This is fixed in 2022.3.3.
All advisoriesExposure of S3 access credentials in support bundles
Affected product(s)
- Gradle Enterprise 2022.3 - 2022.3.2
Severity
Moderate
Published at
2022-10-19
Related CVE ID(s)
- CVE-2022-41575
Description
Gradle Enterprise can be configured to store Build Scan™ data in an Amazon S3 compatible object store. This configuration may include access credentials. Support bundles generated from Gradle Enterprise 2022.3 through to 2022.3.2 expose these credentials in plaintext. The credentials could be used by an attacker to read and write Build Scan data directly to the object store.
Support bundles are a mechanism used by Gradle Enterprise support to obtain log files and other operational telemetry from a Gradle Enterprise installation. They must be generated by an installation administrator with access to the installation host environment, or via the application administration user interface. The bundle files are typically then shared with Gradle Enterprise support and discarded.
Gradle Enterprise installations not using an Amazon S3 compatible object store for build data are unaffected. Installations using the “instance profile” authentication method are also unaffected.
Mitigation
As of Gradle Enterprise 2022.3.3, the access credentials are encrypted in support bundles.
Affected installations should consider revoking existing credentials and generating and configuring new credentials.