All advisories

Maliciously crafted HTTP request to Gradle Enterprise may allow remote code execution

Affected product(s)

  • Gradle Enterprise 2017.2 - 2021.1.2

Severity

High

Description

Gradle Enterprise stores application session data as client side cookies, after being encrypted and signed with randomly generated, installation specific, keys. This session data is deserialized to Java objects for a request.

An attacker who has obtained the encryption and signing keys could potentially craft a HTTP request that deserializes unsafe objects, leading to remote code execution. This is known as an “insecure deserialization” vulnerability, or “gadget vulnerability”.

As of Gradle Enterprise 2021.1.3, additional measures have been put in place that prevent such a crafted request from deserializing arbitrary unsafe objects.

Mitigation

Upgrade to Gradle Enterprise 2021.1.3.