Attacker with SSRF capability can obtain application secrets
- Gradle Enterprise 2017.6 - 2021.1.2
Related CVE ID(s)
An attacker with the ability to perform Server Side Request Forgery (SSRF) can potentially access private application configuration information containing secrets used as credentials to connect to other systems such as the application database. An attacker must first find and utilize a SSRF vulnerability within the application, then discover the unadvertised address of the HTTP endpoint that is only accessible from the server side.
As of 2021.1.3, the endpoint in question requires extra access credentials.
Upgrade to Gradle Enterprise 2021.1.3.