All advisories

Attacker with SSRF capability can obtain application secrets

Affected product(s)

  • Gradle Enterprise 2017.6 - 2021.1.2

Severity

High

Description

An attacker with the ability to perform Server Side Request Forgery (SSRF) can potentially access private application configuration information containing secrets used as credentials to connect to other systems such as the application database. An attacker must first find and utilize a SSRF vulnerability within the application, then discover the unadvertised address of the HTTP endpoint that is only accessible from the server side.

As of 2021.1.3, the endpoint in question requires extra access credentials.

Mitigation

Upgrade to Gradle Enterprise 2021.1.3.