Develocity Security Advisories

The following is a list of security advisories relating to Develocity and its associated components.
Gradle build tool security advisories can be found here.

Published at Severity Summary
2024-05-02 Moderate Cross-Site Request Forgery on Develocity API calls
2023-12-04 Moderate Non-unique initial system user password may allow unauthorized access to new installation
2022-11-26 High JSON deserialization vulnerability allows remote attacker to cause denial of service via maliciously crafted HTTP request
2022-11-26 Moderate Exposure of HTTP proxy password in the Gradle Enterprise administration user interface
2022-10-20 Moderate Docker Hub access credential exposure in Replicated-based installation support bundles
2022-10-19 Moderate Exposure of S3 access credentials in support bundles
2022-10-04 High Unrestricted access to application HTTP endpoint allows arbitrarily emailing installation admin contact and preventing backups
2022-06-29 Low Weak cipher suite enabled on Build Cache Node
2022-06-03 Moderate Encryption key used for external system passwords is readable in created Kubernetes manifests
2022-06-03 Low System password reset via Admin CLI allows command injection and password leakage
2022-04-22 High Potential information disclosure and remote code execution via TLS bypass due to Java ECDSA cryptographic bypass vulnerability
2022-04-19 Low Potential remote-code-execution and denial-of-service via zlib dependency
2022-04-04 Low Libraries vulnerable to Spring4Shell are distributed with Gradle Enterprise
2022-03-24 High Default installation configuration allows anonymous access to some admin configuration
2022-03-24 Moderate Potential remote code execution via database connection parameters
2022-03-15 Low Keycloak legacy cookies are not secured
2022-03-09 Critical Potential remote code execution when running Gradle Enterprise built-in build cache with default configuration
2022-01-07 Moderate HTTP request smuggling vulnerability due to use of Netty
2021-12-13 Critical Remote code execution vulnerability due to use of Log4j2
2021-10-25 High Open redirect vulnerability in Replicated admin console
2021-10-21 High Installation configuration information exposure in Replicated admin console
2021-10-15 Critical Potential remote code execution when running build cache node with default configuration
2021-10-15 Moderate Potential probing of server side network environment via SMTP configuration test
2021-05-31 Critical Crafted HTTP request to Gradle Enterprise can allow unauthorized viewing of response
2021-05-31 High Potential remote code execution via application startup configuration
2021-05-31 High Attacker with SSRF ability can reset system user password
2021-05-31 High Attacker with SSRF capability can obtain application secrets
2021-05-31 High Maliciously crafted HTTP request to Gradle Enterprise may allow remote code execution
2021-02-08 High Potential compromise of build or agent environment by test distribution agent or client imposter
2020-09-18 High Build scan Export API is susceptible to cross-origin requests
2020-09-15 Critical Test distribution usage search form allows XSS
2020-09-15 Critical Potential disclosure of session cookies via header reflection
2020-09-15 High CSRF prevention token is overridable by user code
2020-09-15 Moderate Build project names and build volumes are accessible without authentication
2020-09-15 Moderate Login sessions are not terminated on browser closure
2020-09-15 Moderate SAML IDP metadata XML upload is vulnerable to server-side request forgery via XXE injection
2020-09-15 Moderate Request cookies containing CSRF prevention token are not same-site restricted
2020-09-15 Moderate Local user login is susceptible to brute force password guessing
2020-09-15 Moderate CSRF prevention cookie is susceptible to capture by MITM on HTTP redirect
2020-07-15 Critical Potential local privilege escalation during build due to unrestricted input deserialization
2019-04-22 High Build cache credentials are reflected in administration screens
2019-04-22 High Build cache credentials are stored unencrypted at rest