Default installation configuration allows anonymous access to some admin configuration
Affected product(s)
- Gradle Enterprise 2020.4 - Gradle Enterprise 2021.4.3
Severity
High
Published at
2022-03-24
Related CVE ID(s)
Description
When creating a new Gradle Enterprise installation without specifying an initial configuration file, the default access control settings allow anonymous access to build cache administration and the Export API. This is different to the intended and documented default configuration, which is to only allow viewing and publishing of build scans by anonymous users.
In particular, build cache administration should be restricted to trusted users. An attacker may achieve remote code execution (RCE) by changing the build cache access control settings to allow them to store malicious software in the cache.
As of Gradle Enterprise 2022.1 the anonymous user access control settings are aligned with the documented defaults, disallowing modifying build cache configuration.
Mitigation
Adminstrators should audit the anonymous user access control settings, which can be done via /admin/access/anonymous within Gradle Enterprise.
Upgrading to Gradle Enterprise 2022.1 will not change the existing anonymous access control settings. New installations of Gradle Enterprise 2022.1 or later will use the correct defaults.