Gradle Enterprise
23 CVEs affecting Gradle Enterprise. Latest disclosed: 2025-01-26. Critical: 5, High: 9.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-49238 | Critical | 9.8 | 2024-01-09 | In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-uni… |
CVE-2022-27919 | Critical | 9.8 | 2022-03-25 | Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allow… |
CVE-2021-41589 | Critical | 9.8 | 2021-10-27 | In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the… |
CVE-2019-11403 | Critical | 9.8 | 2019-04-22 | In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page. |
CVE-2019-11402 | Critical | 9.8 | 2019-04-22 | In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format. |
CVE-2020-15776 | High | 8.8 | 2020-09-18 | An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An a… |
CVE-2022-25364 | High | 8.1 | 2022-03-17 | In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malici… |
CVE-2022-41575 | High | 7.5 | 2022-10-21 | A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3.3 allows remote attackers to access a subset of… |
CVE-2022-41574 | High | 7.5 | 2022-10-07 | An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with ar… |
CVE-2020-15775 | High | 7.5 | 2020-09-18 | An issue was discovered in Gradle Enterprise 2017.1 - 2020.2.4. The /usage page of Gradle Enterprise conveys high level build information such as project names… |
CVE-2020-15771 | High | 7.5 | 2020-09-18 | An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows… |
CVE-2020-15768 | High | 7.5 | 2020-09-18 | An issue was discovered in Gradle Enterprise 2017.3 - 2020.2.4 and Gradle Enterprise Build Cache Node 1.0 - 9.2. Unrestricted HTTP header reflection in Gradle… |
CVE-2021-41619 | High | 7.2 | 2021-10-27 | An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installat… |
CVE-2024-46881 | High | 7.1 | 2025-01-26 | Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise C… |
CVE-2020-15774 | Medium | 6.8 | 2020-09-18 | An issue was discovered in Gradle Enterprise 2018.5 - 2020.2.4. An attacker with physical access to the browser of a user who has recently logged in to Gradle… |
CVE-2022-27225 | Medium | 6.5 | 2022-03-16 | Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-… |
CVE-2020-15773 | Medium | 6.5 | 2020-09-18 | An issue was discovered in Gradle Enterprise before 2020.2.4. Because of unrestricted cross-origin requests to read-only data in the Export API, an attacker ca… |
CVE-2020-15769 | Medium | 6.1 | 2020-09-18 | An issue was discovered in Gradle Enterprise 2020.2 - 2020.2.4. An XSS issue exists via the request URL. |
CVE-2020-15770 | Medium | 5.5 | 2020-09-18 | An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user's password, due to lack of lock-o… |
CVE-2021-41590 | Medium | 5.3 | 2021-10-27 | In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. The installation configuration us… |