All advisories

Crafted HTTP request to Gradle Enterprise can allow unauthorized viewing of response

Affected product(s)

  • Gradle Enterprise 2020.4 - 2021.1.1

Severity

Critical

Description

The vulnerability can be activated by making a GET HTTP request to the Gradle Enterprise application including the header "X-Gradle-Enterprise-Ajax-Request". When present, requests that should be rejected due to insufficient access permissions are effectively allowed. The response will contain a response status code of 401 (Unauthorized), but will contain the response body of the requested resource, effectively bypassing the access control.

An attacker can use this exploit to view build data and application configuration information that they would not otherwise be able to. It cannot be used to update or change any aspect of the system. It also does not affect build cache or test distribution operation. It cannot be used to view credentials used by Gradle Enterprise to connect to other systems, such as an SMTP or LDAP server.

Mitigation

The most effective mitigation is to update to Gradle Enterprise 2020.1.3. Alternatively, if you have Gradle Enterprise deployed behind a layer 7 network proxy, you can mitigate the vulnerability by disallowing responses from Gradle Enterprise for requests containing the “X-Gradle-Enterprise-Ajax-Request” header and with a response status of 401.