All advisories

Potential remote code execution via application startup configuration

Affected product(s)

  • Gradle Enterprise 2020.4 - 2021.1.2

Severity

High

Related CVE ID(s)

Description

The installation configuration user interface available to administrators allows specifying arbitrary Java Virtual Machine startup options. Some startup options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application.

As of Gradle Enterprise 2021.1.2, such options are ignored.

Mitigation

Upgrade to Gradle Enterprise 2021.1.2 or later.

Credit

Marat Aytuganov <marat.aytuganov@compass-security.com>