All advisories

Potential remote code execution via database connection parameters

Affected product(s)

  • Gradle Enterprise < 2022.1

Severity

Moderate

Published at

2022-03-24

Related CVE ID(s)

Description

Gradle Enterprise uses the PostgreSQL database and its JDBC driver. A vulnerability was discovered with this driver that allows an attacker who can control particular parameters of a database connection URL to achieve remote code execution (RCE) if a separate “gadget” vulnerability exists in the application that can be invoked by instantiating a class.

With Gradle Enterprise, only administrators with host-level access to the installation and those with access to the Replicated admin console (for applicable installations) can configure the database connection URL. An attacker would first need to achieve this level of access to exploit this vulnerability. Additionally, no “gadget” vulnerabilities are known to be present within the Gradle Enterprise application runtime.

Gradle Enterprise 2022.1 updates the version of the Postgres JDBC driver, which is more strict about the code that it attempts to load based on the connection URL.

Mitigation

The only available mitigation is to update to Gradle Enterprise 2022.1.

References