Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-30587: Gradle Enterprise - Security Advisories

Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure.

CVE
#vulnerability#java#kubernetes#ldap#auth#gradle

All advisoriesEncryption key used for external system passwords is readable in created Kubernetes manifests

Affected product(s)

  • Gradle Enterprise < 2022.2.4

Severity

Moderate

Published at

2022-06-03

Related CVE ID(s)

  • CVE-2022-30587

Description

When deploying Gradle Enterprise with an unattended installation configuration, passwords used to connect to external systems can be symmetrically encrypted with a user-provided encryption key. For versions of Gradle Enterprise earlier than 2022.2.3 deployed to a Kubernetes cluster, the supplied encryption key is viewable as part of the application manifest along with the configuration, allowing any person able to view and read the application manifests to decrypt the passwords.

As of Gradle Enterprise 2022.2, the passwords that may be provided in the unattended installation configuration are:

  1. The bind user password when using an LDAP service as an identity provider
  2. The password used to authenticate to the configured SMTP service

As of Gradle Enterprise 2022.2.3, the encryption key is stored as a Kubernetes secret and is no longer readable as part of the application manifest.

Users not using an unattended installation configuration are not affected by this vulnerability.

Mitigation

Users deploying to a Kubernetes cluster with an unattended installation configuration containing encrypted secrets should upgrade to Gradle Enterprise 2022.2.3, and consider whether the passwords contained within the configuration should be cycled.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907