Gradle Enterprise Security Advisories

The following is a list of security advisories relating to Gradle Enterprise and its associated components.
Gradle build tool security advisories can be found here.

Published at Severity Summary
2021-10-25 High Open redirect vulnerability in Replicated admin console
2021-10-21 High Installation configuration information exposure in Replicated admin console
2021-10-15 Critical Potential cache poisoning and remote code execution when running build cache node with default configuration
2021-10-15 Moderate Potential probing of server side network environment via SMTP configuration test
2021-05-31 Critical Crafted HTTP request to Gradle Enterprise can allow unauthorized viewing of response
2021-05-31 High Potential remote code execution via application startup configuration
2021-05-31 High Attacker with SSRF ability can reset system user password
2021-05-31 High Attacker with SSRF capability can obtain application secrets
2021-05-31 High Maliciously crafted HTTP request to Gradle Enterprise may allow remote code execution
2021-02-08 High Potential compromise of build or agent environment by test distribution agent or client imposter
2020-09-18 High Build scan Export API is susceptible to cross-origin requests
2020-09-15 Critical Test distribution usage search form allows XSS
2020-09-15 Critical Potential disclosure of session cookies via header reflection
2020-09-15 High CSRF prevention token is overridable by user code
2020-09-15 Moderate Build project names and build volumes are accessible without authentication
2020-09-15 Moderate Login sessions are not terminated on browser closure
2020-09-15 Moderate SAML IDP metadata XML upload is vulnerable to server-side request forgery via XXE injection
2020-09-15 Moderate Request cookies containing CSRF prevention token are not same-site restricted
2020-09-15 Moderate Local user login is susceptible to brute force password guessing
2020-09-15 Moderate CSRF prevention cookie is susceptible to capture by MITM on HTTP redirect
2020-07-15 Critical Potential local privilege escalation during build due to unrestricted input deserialization
2019-04-22 High Build cache credentials are reflected in administration screens
2019-04-22 High Build cache credentials are stored unencrypted at rest