HTTP request smuggling vulnerability due to use of Netty

Gradle Enterprise components use the Netty library, which for versions <= 4.1.7.1.Final is vulnerable to HTTP request smuggling attacks.

Attackers can use HTTP request smuggling to attach “extra” HTTP requests to a legitimate-looking request. These extra requests can then be used in a variety of ways, including bypassing security controls in order to launch other attacks (such as accessing protected data or poisoning a cache). See CAPEC-33: HTTP Request Smuggling and this article from the Web Application Security Consortium for more information. No Gradle Enterprise specific attacks based on this general vulnerability are known of at this time.

This vulnerability is applicable to Gradle Enterprise components that accept HTTP traffic, and are not fronted by a proxy that does not have the same vulnerability.

The Gradle Enterprise application is not vulnerable as it includes a proxy that mitigates the problem, though it does include the vulnerable library.

The Gradle Enterprise Test Distribution Agent is not vulnerable as it does not serve HTTP requests, though it does include the vulnerable library.

The Gradle Enterprise built-in Build Cache Node is not vulnerable as it includes a proxy that mitigates the problem, though it does include the vulnerable library.

The Build Cache Node is vulnerable when used as a remote node, unless it is fronted by a network proxy that does not have the same vulnerability. Build Cache Node users not also using such a network proxy should upgrade as soon as possible.