All advisories

Installation configuration information exposure in Replicated admin console

Affected product(s)

  • Gradle Enterprise < 2021.3.3 (non-Kubernetes)

Severity

High

Related CVE ID(s)

Description

A HTTP request made as part of using the Replicated administration console, used to operate a Gradle Enterprise installation, discloses internal configuration secrets used for cryptography and access control between system components. This effectively allows read-only access to configuration intended to only be visible to users with login access to the operating system host.

Mitigation

Upgrade to Gradle Enterprise 2021.3.3 or later, or seperately update your Replicated administration console to 2.53.1 or later.

Credit

Stephan Sekula <stephan.sekula@compass-security.com>

References