Potential remote code execution via database connection parameters

Gradle Enterprise uses the PostgreSQL database and its JDBC driver. A vulnerability was discovered with this driver that allows an attacker who can control particular parameters of a database connection URL to achieve remote code execution (RCE) if a separate “gadget” vulnerability exists in the application that can be invoked by instantiating a class.

With Gradle Enterprise, only administrators with host-level access to the installation and those with access to the Replicated admin console (for applicable installations) can configure the database connection URL. An attacker would first need to achieve this level of access to exploit this vulnerability. Additionally, no “gadget” vulnerabilities are known to be present within the Gradle Enterprise application runtime.

Gradle Enterprise 2022.1 updates the version of the Postgres JDBC driver, which is more strict about the code that it attempts to load based on the connection URL.