All advisories

Potential remote code execution when running Gradle Enterprise built-in build cache with default configuration

Affected product(s)

  • Gradle Enterprise < 2021.4.2

Severity

Critical

Published at

2022-03-09

Related CVE ID(s)

Description

Prior to Gradle Enterprise 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build.

As of Gradle Enterprise 2021.4.2 the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access control settings before it can be used.

Remote build cache nodes are unaffected as they are inaccessible-by-default.

Mitigation

Users who have used the default settings without considering whether open access is desirable in their environment should review their settings. This can be done by an administrator with access to /cache-admin/node/built-in.

Gradle Enterprise 2021.4.2 or later should be used for any new installations to avoid unintentional open write access to the built-in build cache.