Maliciously crafted HTTP request to Gradle Enterprise may allow remote code execution
Affected product(s)
- Gradle Enterprise 2017.2 - 2021.1.2
Severity
High
Published at
2021-05-31
Related CVE ID(s)
Description
Gradle Enterprise stores application session data as client side cookies, after being encrypted and signed with randomly generated, installation specific, keys. This session data is deserialized to Java objects for a request.
An attacker who has obtained the encryption and signing keys could potentially craft a HTTP request that deserializes unsafe objects, leading to remote code execution. This is known as an “insecure deserialization” vulnerability, or “gadget vulnerability”.
As of Gradle Enterprise 2021.1.3, additional measures have been put in place that prevent such a crafted request from deserializing arbitrary unsafe objects.
Mitigation
Upgrade to Gradle Enterprise 2021.1.3.