Vulnerability Description
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gradle | Enterprise | < 2021.4.2 |
Related Weaknesses (CWE)
References
- https://security.gradle.comVendor Advisory
- https://security.gradle.com/advisory/2022-02Vendor Advisory
- https://security.gradle.comVendor Advisory
- https://security.gradle.com/advisory/2022-02Vendor Advisory
FAQ
What is CVE-2022-25364?
CVE-2022-25364 is a vulnerability with a CVSS score of 8.1 (HIGH). In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the buil...
How severe is CVE-2022-25364?
CVE-2022-25364 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-25364?
Check the references section above for vendor advisories and patch information. Affected products include: Gradle Enterprise.